Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Operating Systems

In Operating Systems:
News
Reviews
Features
How-tos
Slideshows

Top How-Tos / Advice articles

No Windows 7 Server patch in light Microsoft security update

Easing into the New Year with next week's update

By IDG News Service | Computerworld US | Published: 09:10, 08 January 2010

Microsoft'ssecurity update out next week won't patch a crippling bug in Windows 7 that went public nearly two months ago.

Instead, the expected update will patch just one vulnerability rated 'critical' - Microsoft 's most serious rating in its four-step scoring system - in Windows 2000.

The bug also affects Windows XP, Vista and Windows 7, as well as Windows Server 2003, Server 2008 and Server 2008 R2, but is tagged as 'low' for those editions.

Related Articles on Techworld

"The first thing that came to mind was a denial-of-service vulnerability for the newer [operating systems], and a remote code execution on Windows 2000," said Andrew Storms, director of security operations at nCircle Network Security.

Microsoft downplayed the threat even to Windows 2000 users.

"The Exploitability Index rating for this issue will not be high, which lowers the overall risk," said Jerry Bryant, a Microsoft security spokesman, in a post to the company's security response center blog.

Storms welcomed next week's light patch load, which follows several months of multiple updates: Microsoft set a security record in October when it patched 34 vulnerabilities in 13 separate updates, for example.

"It's nice to have a light month, especially with the uptick in Adobe vulnerabilities," said Storms, referring to a bug in Adobe's popular PDF software that is also slated to be patched January 12 .

Adobe, which last summer committed to releasing security updates for Reader and Acrobat each quarter, will also patch bugs next Tuesday.

Adobe published its own pre-patch notification but as is its practice, declined to say how many vulnerabilities, other than the one now being used by hackers, will be addressed.

For its part, Microsoft is skipping one patch next week, Bryant confirmed, admitting the company will not fix an outstanding denial-of-service vulnerability in Windows 7 and Windows Server 2008 R2.

"We are still working on an update for the issue at this time," he said.

In mid-November, Microsoft confirmed that the bug in SMB (Server Message Block), a Microsoft-made network file and print-sharing protocol, could be used by attackers to cripple Windows 7 and Windows Server 2008 R2 machines.

Microsoft has maintained that the vulnerability cannot be used to hijack PCs.

The Windows 7 flaw was first reported by Canadian researcher Laurent Gaffie on November 11, 2009, just a day after Microsoft shipped that month's patches, when he published proof-of-concept attack code to a security mailing list.

According to Gaffie, exploiting the flaw crashes Windows 7 and Server 2008 R2 systems so thoroughly that the only recourse is to manually power off the computers.

"From a public [relations] perspective, I would have expected Microsoft to patch the SMB bug this month," said Storms. "On the other hand, I'm not surprised they won't, since it's only a denial-of-service bug."

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.