Microsoft Corp. will kick off the new year by issuing just two security updates next week, the company said Thursday.
The updates will fix flaws in Windows, Microsoft said in the prepatch notice. One will be rated “critical,” the company’s most serious ranking, while the other will be tagged as “important,” the next-lower rating.
Tuesday’s critical update is expected to patch a remote code execution vulnerability found in all currently supported versions of Windows, ranging from Windows 2000 SP4 to Windows Vista. The bug is especially threatening to users of Windows XP and Vista, according to Microsoft. The company ranked the flaw critical to those operating systems, but important to Windows Server 2003 and “moderate” to Windows 2000.
Although Microsoft provides only bare-bones information in its prepatch notification, this update may be a fix for the Web Proxy Auto-Discovery (WPAD) bug that the company’s security team acknowledged a month ago, but didn’t fix in time to make the Dec. 11 batch of updates. The WPAD vulnerability — actually a flaw in how Windows PCs look up DNS information — was originally patched in 1999, but resurfaced recently when a researcher pointed out that it had crept back into later versions of Windows.
Ryan Poppa, lead research engineer at nCircle Inc., however, had a different idea. “I’m leaning toward something else,” said Poppa, “because WPAD doesn’t seem to fit with the criticality of this.”
Poppa based his speculation on how Microsoft rated the vulnerability for the different versions of Windows. “It mostly affects the workstations, and not servers,” he said, referring to the important rating for Windows Server 2003 and the critical label for XP and Vista. “It might be [a fix for] a service that’s not turned on by default on Windows 2003, but is on XP and Vista. It could be something like Remote Desktop, for example.”
The second update scheduled for next week affects all versions of Windows except Vista. Because Microsoft classified it as a “local elevation of privilege” — which typically means that an attack requires local access — it ranked the vulnerability as important across the board.
Microsoft also plans to release five nonsecurity, high-priority updates via Microsoft Update and Windows Server Update Services (WSUS), and two nonsecurity, high-priority updates for Windows on Windows Update and WSUS. Microsoft Update downloads and installs not only fixes for Windows, but also updates for Office and several other Microsoft products.
The two updates and their associated explanatory bulletins will go live Tuesday around 1 p.m. Eastern time.