14 DAY TRIAL // With the January 2009 release of security updates, Microsoft patched a total of three vulnerabilities in its Windows client and server operating systems. Last week, the Redmond company made available for download a single security bulletin designed to patch the vulnerabilities, and subsequently issued the January 2009 Security Release ISO Image. According to the software giant, the DVD5 ISO image file with the security patches for Windows are available for Windows 2000, Windows Server 2003, Windows XP (including SP3), Windows Vista RTM/SP1, and Windows Server 2008.
“This is a light month—the vendor is releasing only one bulletin covering a total of three vulnerabilities affecting Server Message Block (SMB). Of those issues, two are 'Critical' server-side, remotely exploitable code-execution vulnerabilities. These are rather serious issues that may allow remote attackers to completely compromise a vulnerable computer. Given the nature of these issues, developing viable exploits to execute code may prove difficult, but denial-of-service attacks will likely be trivial. The remaining issue, rated 'Moderate,' is a remote denial-of-service vulnerability,” Symantec's Robert Keith revealed.
In addition to MS09-001 (for the vulnerabilities in the Microsoft Server Message Block (SMB) Protocol), the January 2009 Security Release ISO Image also includes MS08-078 and MS08-076 released the past year, patching vulnerabilities in Internet Explorer and Windows Media Components. Microsoft explained that Windows 7 Beta Build 7000 was also impacted by the same vulnerabilities affecting Windows Vista SP1 and patched by MS09-001, but since the issues were rated only Moderate and the company's policy was to resolve only Critical flaws in its Beta software, Win 7 would get patched with the Release Candidate Build, and not via a standalone update.
“Two of the three vulnerabilities pose the risk for Remote Code Execution (CVE-2008-4834 and CVE-2008-4835), and hence these are rated Critical. However, Vista and Server 2008 systems are not vulnerable to the first of these vulnerabilities, and the second vulnerability does not affect systems using default settings. As a result, we rated Vista and Server 2008 as Moderate for CVE-2008-4835. CVE-2008-4114 affects all Windows platforms and results in a system DoS without any risk of RCE, and hence is rated Moderate,” Mark Wodrich, from Microsoft SVRD, added.
January 2009 Security Release ISO Image is available for download here.