January's Patch Addresses Bug in Server Message Block

As expected, it's a one-patch Tuesday, with a single item deemed "critical" in Microsoft's first security update for the year.

As expected, it's a one-patch Tuesday, with a single item deemed "critical" in Microsoft's first security update for the year. The January update, described in Security Bulletin MS09-001, is said to resolve newly discovered, yet not publicly disclosed, vulnerabilities in the Microsoft Server Message Block Protocol.

The patch applies to Microsoft Windows 2000, Windows XP and Vista, as well as Windows Server 2003 and Windows Server 2008. It addresses a bug that could permit remote code execution attacks.

The flaws outlined in this patch could enable an attacker to send malicious packets to a Windows workstation, enabling him to run amok with no credentials required, according to Shavlik Technologies' Chief Technology Officer Eric Schultze. Internet firewalls and personal firewalls typically block the ports used for these attacks. However, such ports are typically left open in a corporate network, Schultze explained.

"If a worm is released, and that worm makes it into a corporate network, it will make Swiss cheese of that network relatively quickly," he added.

Security experts say that this security release is unique in that it represents a more rare server-side hotfix.

"Microsoft is right on the money stating that domain controllers are at greater risk than workstations and servers," said Tyler Reguly, senior security engineer for IT security group nCircle. "Domain controllers are at the head of any Windows shop. Therefore, similar to the statement, 'Cut off the head and the rest will die,' if an intruder can own the domain controller, they can own everything."

The patch installation will require a restart to take effect. For information about nonsecurity updates, systems administrators can read this Microsoft knowledgebase article provided with each security rollout.

January's light security update stands in marked contrast to December's patch, which addressed the most vulnerabilities so far for Patch Tuesday. Microsoft also had an out-of-cycle patch for Internet Explorer just before the New Year.

In addition to Microsoft's announcement, Oracle released a mammoth security update for shops using its database applications. Oracle's quarterly critical patch update also happened to be released on the second Tuesday of this month. It contains fixes for 41 vulnerabilities "across hundreds of Oracle products."

The security update applies to Oracle Database versions 9i, 10g and 11g, Oracle Secure Backup, Oracle TimesTen, Oracle Application Server, Oracle Collaboration Suite and Oracle WebLogic Server. Oracle Secure Backup has the most critical vulnerabilities and will get nine security fixes.

"Ten of the 41 patches Oracle plans to release are vulnerabilities that can be exploited remotely and anonymously," said Alfred Huger, vice president of Symantec Security Response. "Patches for 'Oracle Times Ten Data Server' and 'Oracle Secure Backup' should be applied immediately by all customers."

Those swept up in the Oracle patching frenzy will likely start with the Microsoft fix first and then take more time to evaluate the Oracle updates to see what's truly relevant, according to Qualys' Chief Technology Officer Wolfgang Kandek.

"For Windows, there is a structured patching environment and the tools are there," Kandek explained. "The infrastructure there is more prepared. In general we see Oracle and others moving slower in the patch cycle deployment than Microsoft. Either way, it's a big day."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

  • Qualcomm Back in Datacenter Fray with AI Chip

    The chip maker joins a crowded field of vendors that are designing silicon for processing AI inference workloads in the datacenter.

  • Microsoft To Ship Surface Hub 2S Conference Device in June

    Microsoft on Wednesday announced a June U.S. ship date for one of its Surface Hub 2S conferencing room products, plus a couple of other product milestones.

  • Kaspersky Lab Nabs Another Windows Zero-Day

    Kaspersky Lab this week described more about a zero-day Windows vulnerability (CVE-2019-0859) that its researchers recently discovered, and how PowerShell was used by the exploit.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.