Microsoft Issues 5 Important Security Bulletins

For its "Patch Tuesday" this month, Microsoft delivered five security bulletins for what it called "important" security flaws, including one publicly known flaw in the Windows Internet Naming Service (WINS).

Although there were no flaws rated "critical" in the batch of new patches on Tuesday, Microsoft did take the opportunity to warn users once again to apply the critical patch for Internet Explorer that the company released ahead of schedule earlier this month. That patch, MS04-040, was one of the rare cases where a vulnerability is so serious that Microsoft released the patch ahead of its usual release date, which falls on the second Tuesday of every month.

Until Tuesday, Microsoft had another well known vulnerability in the public domain involving WINS. Normally, Microsoft's flaws are reported privately by third-party security firms or discovered internally by Microsoft, and in most cases the security bulletin itself is the first public disclosure of the flaw.

Microsoft provided a patch for the WINS flaw on Tuesday in its bulletin MS04-045. The vulnerability could allow an attacker to take complete control of a server over the Internet. The flaw affected Windows Server 2003, Windows 2000 Server and Windows NT 4.0 Server.

In addition to the bulletin for the problem in WINS, Microsoft addressed flaws in WordPad (MS04-041), DHCP (MS04-042), HyperTerminal (MS04-043) and the Windows kernel and LSASS (MS04-044). Attacks enabled by the flaws ranged from denial-of-service to remote code execution to elevation of privileges.

In all, Microsoft released six bulletins for the month of December. That comes after the company posted one security bulletin in November and 10 bulletins in October. Assuming no more out-of-cycle bulletins come for the rest of the month, Microsoft will have delivered 45 security bulletins this year.

All six of the new flaws patched this month affected Windows NT 4.0 Server, which sees its support formally end on Dec. 31. Beginning next month, Microsoft will not publicly post Windows NT patches for new security flaws. Only customers who enter custom support deals with Microsoft will continue to receive Windows NT 4.0 Server patches, and then only for flaws that are rated important or critical. However, patches for flaws like the one affecting IE this month may still be posted for all customers for the next two years. Microsoft officials have said they will make patches generally available for free in cases where the underlying flaw threatens the stability and security of the Internet.

A master list of the December bulletins is available here.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

  • Datacenters in Space: OrbitsEdge Partners with HPE

    A Florida-based startup is partnering with Hewlett Packard Enterprise in a deal that gives new meaning to the "edge" in edge computing.

  • Windows 10 Hyper-V vs. Windows Server Hyper-V: Which Platform for Which Workloads?

    The differences between these two Hyper-V versions are pretty significant, depending on what you plan to use them for. Here's a quick rundown of each platform, from their features to licensing quirks to intended use cases.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.