January's Patch Addresses Bug in Server Message Block

As expected, it's a one-patch Tuesday, with a single item deemed "critical" in Microsoft's first security update for the year.

As expected, it's a one-patch Tuesday, with a single item deemed "critical" in Microsoft's first security update for the year. The January update, described in Security Bulletin MS09-001, is said to resolve newly discovered, yet not publicly disclosed, vulnerabilities in the Microsoft Server Message Block Protocol.

The patch applies to Microsoft Windows 2000, Windows XP and Vista, as well as Windows Server 2003 and Windows Server 2008. It addresses a bug that could permit remote code execution attacks.

The flaws outlined in this patch could enable an attacker to send malicious packets to a Windows workstation, enabling him to run amok with no credentials required, according to Shavlik Technologies' Chief Technology Officer Eric Schultze. Internet firewalls and personal firewalls typically block the ports used for these attacks. However, such ports are typically left open in a corporate network, Schultze explained.

"If a worm is released, and that worm makes it into a corporate network, it will make Swiss cheese of that network relatively quickly," he added.

Security experts say that this security release is unique in that it represents a more rare server-side hotfix.

"Microsoft is right on the money stating that domain controllers are at greater risk than workstations and servers," said Tyler Reguly, senior security engineer for IT security group nCircle. "Domain controllers are at the head of any Windows shop. Therefore, similar to the statement, 'Cut off the head and the rest will die,' if an intruder can own the domain controller, they can own everything."

The patch installation will require a restart to take effect. For information about nonsecurity updates, systems administrators can read this Microsoft knowledgebase article provided with each security rollout.

January's light security update stands in marked contrast to December's patch, which addressed the most vulnerabilities so far for Patch Tuesday. Microsoft also had an out-of-cycle patch for Internet Explorer just before the New Year.

In addition to Microsoft's announcement, Oracle released a mammoth security update for shops using its database applications. Oracle's quarterly critical patch update also happened to be released on the second Tuesday of this month. It contains fixes for 41 vulnerabilities "across hundreds of Oracle products."

The security update applies to Oracle Database versions 9i, 10g and 11g, Oracle Secure Backup, Oracle TimesTen, Oracle Application Server, Oracle Collaboration Suite and Oracle WebLogic Server. Oracle Secure Backup has the most critical vulnerabilities and will get nine security fixes.

"Ten of the 41 patches Oracle plans to release are vulnerabilities that can be exploited remotely and anonymously," said Alfred Huger, vice president of Symantec Security Response. "Patches for 'Oracle Times Ten Data Server' and 'Oracle Secure Backup' should be applied immediately by all customers."

Those swept up in the Oracle patching frenzy will likely start with the Microsoft fix first and then take more time to evaluate the Oracle updates to see what's truly relevant, according to Qualys' Chief Technology Officer Wolfgang Kandek.

"For Windows, there is a structured patching environment and the tools are there," Kandek explained. "The infrastructure there is more prepared. In general we see Oracle and others moving slower in the patch cycle deployment than Microsoft. Either way, it's a big day."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus