Patches for Server Message Block, Media Player
As expected, it's a one-patch Tuesday, with a single item deemed "critical" in Microsoft's first security update for the year. The January update, described in Security Bulletin MS09-001, is said to resolve newly discovered, yet not publicly disclosed, vulnerabilities in the Microsoft Server Message Block Protocol.
The patch applies to Microsoft Windows 2000, Windows XP and Vista, as well as Windows Server 2003 and Windows Server 2008. It addresses a bug that could permit remote code execution attacks.
The flaws outlined in this patch could enable an attacker to send malicious packets to a Windows workstation, enabling him to run amok with no credentials required, according to Shavlik Technologies' Chief Technology Officer Eric Schultze. Internet firewalls and personal firewalls typically block the ports used for these attacks. However, such ports are typically left open in a corporate network, Schultze explained.
"If a worm is released, and that worm makes it into a corporate network, it will make Swiss cheese of that network relatively quickly," he added.
Security experts say that this security release is unique in that it represents a more rare server-side hotfix.
"Microsoft is right on the money stating that domain controllers are at greater risk than workstations and servers," said Tyler Reguly, senior security engineer for IT security group nCircle. "Domain controllers are at the head of any Windows shop. Therefore, similar to the statement, 'Cut off the head and the rest will die,' if an intruder can own the domain controller, they can own everything."
The patch installation will require a restart to take effect. For information about nonsecurity updates, systems administrators can read this Microsoft knowledgebase article provided with each security rollout.
January's light security update stands in marked contrast to December's patch, which addressed the most vulnerabilities so far for Patch Tuesday. Microsoft also had an out-of-cycle patch for Internet Explorer just before the New Year.
In addition to Microsoft's announcement, Oracle released a mammoth security update for shops using its database applications. Oracle's quarterly critical patch update also happened to be released on the second Tuesday of this month. It contains fixes for 41 vulnerabilities "across hundreds of Oracle products."
The security update applies to Oracle Database versions 9i, 10g and 11g, Oracle Secure Backup, Oracle TimesTen, Oracle Application Server, Oracle Collaboration Suite and Oracle WebLogic Server. Oracle Secure Backup has the most critical vulnerabilities and will get nine security fixes.
"Ten of the 41 patches Oracle plans to release are vulnerabilities that can be exploited remotely and anonymously," said Alfred Huger, vice president of Symantec Security Response. "Patches for 'Oracle Times Ten Data Server' and 'Oracle Secure Backup' should be applied immediately by all customers."
Those swept up in the Oracle patching frenzy will likely start with the Microsoft fix first and then take more time to evaluate the Oracle updates to see what's truly relevant, according to Qualys' Chief Technology Officer Wolfgang Kandek.
"For Windows, there is a structured patching environment and the tools are there," Kandek explained. "The infrastructure there is more prepared. In general we see Oracle and others moving slower in the patch cycle deployment than Microsoft. Either way, it's a big day."
Windows Media Player update
Microsoft also published an update to a Windows Media Player patch on Tuesday.
At issue is a glitch that results in an incomplete installation of December's MS08-076 Windows Media Component patch on Windows XP systems running Windows Media Format Runtime 9.5. The bulletin addendum, dated Jan. 13, is supposed to fix that glitch.
The revised bulletin also now lists Windows Media Player 6.4 and Windows Media Services 4.1 as affected for all editions of Microsoft Windows 2000 Service Pack 4 -- not just for Microsoft Windows 2000 Server SP4.
The update comes just weeks after Microsoft spokesperson Christopher Budd adamantly denied a report detailing a potential remote code execution hole in Windows Media Player. Security researcher Laurent Gaffi had described a vulnerability that could be used by hackers armed with malformed .wav, .snd, or .mid audio files to compromise a PC running Windows XP or Vista.
Budd negated that security claim, but he did confirm that Gaffi's proof-of-concept code could trigger a crash of the Windows-based app. Budd added that Windows Media Player can be restarted without harming the operating system. He suggested that the security update would fix the loose ends.
Researchers at Microsoft's Research and Defense group spelled out in mathematical and technological language how that the particular flaw mentioned by Gaffi is not a threat.
Jabulani Leffall is a journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.