Microsoft, RIM, Oracle release critical patches

The beta version of Microsoft's upcoming Windows 7 operating system is affected by one of the flaws.

Microsoft kept things to a minimum with its first set of security updates for 2009, but corporate system administrators who were expecting a quiet week got something else altogether, thanks to Oracle and Research In Motion.

Oracle is expected to release its quarterly Critical Patch Update Tuesday, which will include 41 security patches in its database and enterprise software products. On Monday, RIM released an "interim" patch for its BlackBerry Enterprise Server and BlackBerry Professional Software, fixing a critical flaw in the way those servers process PDF documents.

Microsoft's update is important, too. It fixes three bugs in the Windows Server Message Block (SMB) file and print service. "An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said in its Security Bulletin explaining the problem.

The update is rated critical for Windows 2000, XP and Windows Server 2003, but moderate for Vista and Windows Server 2008. The beta version of Microsoft's upcoming Windows 7 operating system is affected by one of the flaws, but since Microsoft doesn't fix beta software in its monthly security updates, beta testers will have to wait until the next public release of Windows 7 for a fix.

Because of the nature of the flaws, Microsoft doesn't think that it's likely that attackers will be able to write attacks that let them install unauthorized software on a victim's machine, but one hacker has already released code that he says can be used to make an unpatched Vista system crash. That's known as a denial-of-service attack.

One of the hackers most likely to try to exploit these bugs, Metasploit developer HD Moore said Tuesday that he agreed with Microsoft's assessment. In a Twitter message Tuesday he said he was "giving up on finding exploitable vectors" for the bug.

In a Tuesday blog posting explaining the risks of an attack, Microsoft said that corporate users should patch "SMB servers and Domain Controllers immediately since a system DoS would have a high impact."

Microsoft did not release a much-anticipated patch for its SQL Server software Tuesday, and security experts say that the flaw is a prime candidate to be fixed in next month's updates, due Feb. 10. The researcher who disclosed the flaw said recently that Microsoft has known about the issue since April, and had written a patch for it back in September.

Microsoft also took steps to curb growing exploitation of a bug in its Windows Server service, which was patched late last year. On Tuesday, it released an updated version of its Malicious Software Removal Tool designed to root out a worm that has infected millions of PCs in the past few months. On Monday, Symantec said that it had seen computers from more than 3 million different Internet Protocol addresses try to connect with the worm's command and control server.

This worm, which is known by a variety of names including Downadup and Conficker, has been spreading with particular virulence over the past three weeks, security vendors said.

Although there will be a lot of new enterprise patches by day's end, Qualys Chief Technology Officer Wolfgang Kandek said he expected that most users would start with the Microsoft fix and take much more time to test the Oracle and BlackBerry updates. "People have high-value systems running on this, so they're very leery to disrupt their operations," he said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags RIMWindowsOracle

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?