January 13, 2009, 2:30 PM — Microsoft kept things to a minimum with its first set of security updates for 2009, but corporate system administrators who were expecting a quiet week got something else altogether, thanks to Oracle and Research In Motion.
Oracle is expected to release its quarterly Critical Patch Update Tuesday, which will include 41 security patches in its database and enterprise software products. On Monday, RIM released an "interim" patch for its BlackBerry Enterprise Server and BlackBerry Professional Software, fixing a critical flaw in the way those servers process PDF documents.
Microsoft's update is important, too. It fixes three bugs in the Windows Server Message Block (SMB) file and print service. "An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said in its Security Bulletin explaining the problem.
The update is rated critical for Windows 2000, XP and Windows Server 2003, but moderate for Vista and Windows Server 2008. The beta version of Microsoft's upcoming Windows 7 operating system is affected by one of the flaws, but since Microsoft doesn't fix beta software in its monthly security updates, beta testers will have to wait until the next public release of Windows 7 for a fix.
Because of the nature of the flaws, Microsoft doesn't think that it's likely that attackers will be able to write attacks that let them install unauthorized software on a victim's machine, but one hacker has already released code that he says can be used to make an unpatched Vista system crash. That's known as a denial-of-service attack.
One of the hackers most likely to try to exploit these bugs, Metasploit developer HD Moore said Tuesday that he agreed with Microsoft's assessment. In a Twitter message Tuesday he said he was "giving up on finding exploitable vectors" for the bug.
In a Tuesday blog posting explaining the risks of an attack, Microsoft said that corporate users should patch "SMB servers and Domain Controllers immediately since a system DoS would have a high impact."
Microsoft did not release a much-anticipated patch for its SQL Server software Tuesday, and security experts say that the flaw is a prime candidate to be fixed in next month's updates, due Feb. 10. The researcher who disclosed the flaw said recently that Microsoft has known about the issue since April, and had written a patch for it back in September.
Microsoft also took steps to curb growing exploitation of a bug in its Windows Server service, which was patched late last year. On Tuesday, it released an updated version of its Malicious Software Removal Tool designed to root out a worm that has infected millions of PCs in the past few months. On Monday, Symantec said that it had seen computers from more than 3 million different Internet Protocol addresses try to connect with the worm's command and control server.
This worm, which is known by a variety of names including Downadup and Conficker, has been spreading with particular virulence over the past three weeks, security vendors said.
Although there will be a lot of new enterprise patches by day's end, Qualys Chief Technology Officer Wolfgang Kandek said he expected that most users would start with the Microsoft fix and take much more time to test the Oracle and BlackBerry updates. "People have high-value systems running on this, so they're very leery to disrupt their operations," he said.
