January's Patch Addresses Bug in Server Message Block

As expected, it's a one-patch Tuesday, with a single item deemed "critical" in Microsoft's first security update for the year. The January update, described in Security Bulletin MS09-001, is said to resolve newly discovered, yet not publicly disclosed, vulnerabilities in the Microsoft Server Message Block Protocol.

The patch applies to Microsoft Windows 2000, Windows XP and Vista, as well as Windows Server 2003 and Windows Server 2008. It addresses a bug that could permit remote code execution attacks.

The flaws outlined in this patch could enable an attacker to send malicious packets to a Windows workstation, enabling him to run amok with no credentials required, according to Shavlik Technologies' Chief Technology Officer Eric Schultze. Internet firewalls and personal firewalls typically block the ports used for these attacks. However, such ports are typically left open in a corporate network, Schultze explained.

"If a worm is released, and that worm makes it into a corporate network, it will make Swiss cheese of that network relatively quickly," he added.

Security experts say that this security release is unique in that it represents a more rare server-side hotfix.

"Microsoft is right on the money stating that domain controllers are at greater risk than workstations and servers," said Tyler Reguly, senior security engineer for IT security group nCircle. "Domain controllers are at the head of any Windows shop. Therefore, similar to the statement, 'Cut off the head and the rest will die,' if an intruder can own the domain controller, they can own everything."

The patch installation will require a restart to take effect. For information about nonsecurity updates, systems administrators can read this Microsoft knowledgebase article provided with each security rollout.

January's light security update stands in marked contrast to December's patch, which addressed the most vulnerabilities so far for Patch Tuesday. Microsoft also had an out-of-cycle patch for Internet Explorer just before the New Year.

In addition to Microsoft's announcement, Oracle released a mammoth security update for shops using its database applications. Oracle's quarterly critical patch update also happened to be released on the second Tuesday of this month. It contains fixes for 41 vulnerabilities "across hundreds of Oracle products."

The security update applies to Oracle Database versions 9i, 10g and 11g, Oracle Secure Backup, Oracle TimesTen, Oracle Application Server, Oracle Collaboration Suite and Oracle WebLogic Server. Oracle Secure Backup has the most critical vulnerabilities and will get nine security fixes.

"Ten of the 41 patches Oracle plans to release are vulnerabilities that can be exploited remotely and anonymously," said Alfred Huger, vice president of Symantec Security Response. "Patches for 'Oracle Times Ten Data Server' and 'Oracle Secure Backup' should be applied immediately by all customers."

Those swept up in the Oracle patching frenzy will likely start with the Microsoft fix first and then take more time to evaluate the Oracle updates to see what's truly relevant, according to Qualys' Chief Technology Officer Wolfgang Kandek.

"For Windows, there is a structured patching environment and the tools are there," Kandek explained. "The infrastructure there is more prepared. In general we see Oracle and others moving slower in the patch cycle deployment than Microsoft. Either way, it's a big day."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.