Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Network Security / Microsoft Fixes Three Vulnerabilities
Microsoft Fixes Three Bugs in First 2009 Patch Tuesday
Microsoft Fixes Three Bugs in First 2009 Patch Tuesday
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Microsoft released critical fixes on Patch Tuesday for vulnerabilities that could leave the door open for worms that wreak havoc on business networks. In all, Microsoft released one security bulletin that addresses three vulnerabilities, two of them rated critical.

"Both vulnerabilities rated as critical by Microsoft are server-side remote code-execution vulnerabilities in the Server Message Block (SMB) protocol," said Alfred Huger, vice president of Symantec Security Response. "Remote attackers, even without a username and password, can take advantage of this issue and execute any commands they wish on the vulnerable server."

How Big is the Threat?

Wolfgang Kandek, CTO of Qualys, agreed that none of the three SMB vulnerabilities require credentials or user actions for successful exploitation. In addition, he noted, SMB is installed on all Windows operating systems by default, making it a critical component.

"IT administrators should treat the bulletin with attention, as the vulnerabilities can result in a denial-of-service attack or remote code execution," Kandek said. "The Exploitability Index for this month rates all CVEs at level three, 'functioning exploit code unlikely,' which is surprising to us as there have been discussions on CVE-2008-4114 regarding ways to exploit the vulnerability. Although we have not seen an active exploit in the wild, we were able to reproduce the denial-of-service condition in a lab environment. It is interesting that Microsoft would rate it a three, as there has been knowledge shared on how to exploit it."

Even though the SMB vulnerabilities are listed as critical, Andrew Storms, director of Security at nCircle, said nearly all users will find themselves automatically protected by default operating system and firewall configurations. "Despite these existing configuration protections, users are still urged to install this patch ASAP," he said. "Everyone should try to start the new year out right by taking this slow MS month to ensure they have updated their systems with the many patches released in 2008."

What's Missing?

Tyler Reguly, senior security engineer at nCircle, said Microsoft is correct in stating that domain controllers are at greater risk than workstations and servers.

"Domain controllers are at the head of any Windows shop. Therefore, similar to the statement 'Cut off the head and the rest will die,' if an intruder can own the domain controller, they can own everything. I'm sure we'll see this actively exploited before too long; it's very important that organizations patch as soon as possible," Reguly said. "The continuing economic pressure increases the odds of an insider threat, and these vulnerabilities are exactly the kind of thing insiders exploit."

Noticeably absent from the January bulletin is a fix for MS-SQL server (961040), which Kandek expected to be part of this month's release. Most likely last month's large security update, followed by the Internet Explorer out-of-band patch (MS08-078), has left little time for releasing an additional MS-SQL patch, he said.

"For the last four months, Microsoft's patching rhythm has been disrupted with October's out-of-band patch as well as another in December, keeping the holiday period busy," Kandek said. "We will have to see if 2009 follows suit. We are keeping a close eye on Vista and its deployment numbers in the enterprise as well as gaining our first impressions of Windows 7."

Image credit: SFMTA.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.