News

Microsoft Issues 5 Important Security Bulletins

For its "Patch Tuesday" this month, Microsoft delivered five security bulletins for what it called "important" security flaws, including one publicly known flaw in the Windows Internet Naming Service (WINS).

Although there were no flaws rated "critical" in the batch of new patches on Tuesday, Microsoft did take the opportunity to warn users once again to apply the critical patch for Internet Explorer that the company released ahead of schedule earlier this month. That patch, MS04-040, was one of the rare cases where a vulnerability is so serious that Microsoft released the patch ahead of its usual release date, which falls on the second Tuesday of every month.

Until Tuesday, Microsoft had another well known vulnerability in the public domain involving WINS. Normally, Microsoft's flaws are reported privately by third-party security firms or discovered internally by Microsoft, and in most cases the security bulletin itself is the first public disclosure of the flaw.

Microsoft provided a patch for the WINS flaw on Tuesday in its bulletin MS04-045. The vulnerability could allow an attacker to take complete control of a server over the Internet. The flaw affected Windows Server 2003, Windows 2000 Server and Windows NT 4.0 Server.

In addition to the bulletin for the problem in WINS, Microsoft addressed flaws in WordPad (MS04-041), DHCP (MS04-042), HyperTerminal (MS04-043) and the Windows kernel and LSASS (MS04-044). Attacks enabled by the flaws ranged from denial-of-service to remote code execution to elevation of privileges.

In all, Microsoft released six bulletins for the month of December. That comes after the company posted one security bulletin in November and 10 bulletins in October. Assuming no more out-of-cycle bulletins come for the rest of the month, Microsoft will have delivered 45 security bulletins this year.

All six of the new flaws patched this month affected Windows NT 4.0 Server, which sees its support formally end on Dec. 31. Beginning next month, Microsoft will not publicly post Windows NT patches for new security flaws. Only customers who enter custom support deals with Microsoft will continue to receive Windows NT 4.0 Server patches, and then only for flaws that are rated important or critical. However, patches for flaws like the one affecting IE this month may still be posted for all customers for the next two years. Microsoft officials have said they will make patches generally available for free in cases where the underlying flaw threatens the stability and security of the Internet.

A master list of the December bulletins is available here.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.