Microsoft slates single Windows patch for Tuesday
Microsoft Thursday said it will issue just one security update next week, down dramatically from last month's record-setting eight updates that patched 28 vulnerabilities.
The single security update slated for Tuesday, Jan. 13, has been tagged "critical" by Microsoft, which posted its usual advance notice Thursday of what to expect for its monthly patch cycle.
All currently-supported versions of Windows are affected, said Microsoft. As is often the case, older editions -- Windows 2000 , Windows XP and Windows Server 2003 -- are at more risk than the newer Windows Vista and Windows Server 2008. Microsoft rated the threat to the older versions as critical, but pegged the threat to newer editions as "moderate," the second-from-the-bottom rating in the company's four-step scoring system.
Andrew Storms, director of security operations at nCircle Network Security Inc., again put his money on a long-standing Windows bug as the problem Microsoft will patch.
"My guess is that it's the token kidnapping bug," said Storms, who had named the same unpatched vulnerability as a likely suspect before Microsoft's December patching. "There are three outstanding vulnerabilities. That one, WordPad and SQL Server. WordPad isn't in Windows Server 2008," said Storms, who noted that the server software is set for a patch next week. "And if they were going to patch SQL Server, I think they would list it as 'SQL Server,' not 'Windows,'" he added.
Two weeks ago, Microsoft confirmed that it has been working on a fix for a critical vulnerability in SQL Server for almost nine eight months, but denied that it has had a patch ready since September, as an Austrian security researcher has alleged.
The Windows vulnerability Storms cited was first acknowledged by Microsoft in April 2008, several weeks after researcher Cesar Cerrudo said he would disclose a Windows flaw at an upcoming conference. At the time, Microsoft had downplayed the issue , going so far as to label the problem a "design flaw," not a security bug.
Several months later, Microsoft confirmed that hackers were actively exploiting the bug , which remains unpatched.
"You always have to start with the known," Storms added, referring to the list of open Microsoft issues, "but because this [bug] is in all versions of Windows, it could also be another GDI vulnerability."
Storms was talking about the Graphics Device Interface (GDI), the core graphics rendering component of Windows, which has been repeatedly repaired by Microsoft, most recently last month in December's massive 28-patch update.
Another clue that may point to a fix for something other than Cerrudo's bug was Microsoft's designation of the vulnerability as an "elevation of privilege" issue. Typically, Microsoft does not rank that class of vulnerabilities as critical.
"That may be the fly in my ointment," admitted Storms.
Microsoft will release January's sole security update at approximately 1 p.m. EST on Tuesday.
» posted by ITworld staff
Computerworld
pasmith
Kindle news: pricing, business models and ... source code?
mulderjoe
Cell phone gaming: In search of good mobile games
jfruh
The guts of the iPhone 3GS
Enter your caption for this week's cartoon! The winner will receive a $25 Amazon gift card. Go now!
Essential JavaFX
Get started building rich Web apps quickly with an introduction to the power of JavaFX key features -- scene node graphs, nodes as components, the coordinate system, layout options, colors and gradients, custom classes with inheritance, animation, binding, and event handlers.Enter now!
The Nomadic Developer
Consulting can be hugely rewarding, but it's easy to fail if you are unprepared. To succeed, you need a mentor who knows the lay of the land. Aaron Erickson is your mentor, and this is your guidebook. Enter now!
