Microsoft Issues 5 Important Security Bulletins
- By Scott Bekker
For its "Patch Tuesday" this month, Microsoft delivered five security bulletins for what it called "important" security flaws, including one publicly known flaw in the Windows Internet Naming Service (WINS).
Although there were no flaws rated "critical" in the batch of new patches on Tuesday, Microsoft did take the opportunity to warn users once again to apply the critical patch for Internet Explorer that the company released ahead of schedule earlier this month. That patch, MS04-040, was one of the rare cases where a vulnerability is so serious that Microsoft released the patch ahead of its usual release date, which falls on the second Tuesday of every month.
Until Tuesday, Microsoft had another well known vulnerability in the public domain involving WINS. Normally, Microsoft's flaws are reported privately by third-party security firms or discovered internally by Microsoft, and in most cases the security bulletin itself is the first public disclosure of the flaw.
Microsoft provided a patch for the WINS flaw on Tuesday in its bulletin MS04-045. The vulnerability could allow an attacker to take complete control of a server over the Internet. The flaw affected Windows Server 2003, Windows 2000 Server and Windows NT 4.0 Server.
In addition to the bulletin for the problem in WINS, Microsoft addressed flaws in WordPad (MS04-041), DHCP (MS04-042), HyperTerminal (MS04-043) and the Windows kernel and LSASS (MS04-044). Attacks enabled by the flaws ranged from denial-of-service to remote code execution to elevation of privileges.
In all, Microsoft released six bulletins for the month of December. That comes after the company posted one security bulletin in November and 10 bulletins in October. Assuming no more out-of-cycle bulletins come for the rest of the month, Microsoft will have delivered 45 security bulletins this year.
All six of the new flaws patched this month affected Windows NT 4.0 Server, which sees its support formally end on Dec. 31. Beginning next month, Microsoft will not publicly post Windows NT patches for new security flaws. Only customers who enter custom support deals with Microsoft will continue to receive Windows NT 4.0 Server patches, and then only for flaws that are rated important or critical. However, patches for flaws like the one affecting IE this month may still be posted for all customers for the next two years. Microsoft officials have said they will make patches generally available for free in cases where the underlying flaw threatens the stability and security of the Internet.
A master list of the December bulletins is available here.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.