We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Microsoft to issue two Windows patches next week

One critical, the other important

Microsoft will issue just two security updates next week, the company said yesterday.

The updates will fix flaws in Windows, Microsoft said in the prepatch notice. One will be rated "critical", the company's most serious ranking, while the other will be tagged as "important", the next-lower rating.

Tuesday's critical update is expected to patch a remote code execution vulnerability found in all currently supported versions of Windows, ranging from Windows 2000 SP4 to Windows Vista. The bug is especially threatening to users of Windows XP and Vista, according to Microsoft.

The company ranked the flaw critical to those operating systems, but important to Windows Server 2003 and "moderate" to Windows 2000. Visit Security Advisor for the latest PC security news, reviews, tips and tricks.

Although Microsoft provides only bare-bones information in its prepatch notification, this update may be a fix for the Web Proxy Auto-Discovery (WPAD) bug that the company's security team acknowledged a month ago, but didn't fix in time to make the December 11 batch of updates.

The WPAD vulnerability - actually a flaw in how Windows PCs look up DNS information - was originally patched in 1999, but resurfaced recently when a researcher pointed out that it had crept back into later versions of Windows.

Ryan Poppa, lead research engineer at nCircle, however, had a different idea. "I'm leaning toward something else," said Poppa, "because WPAD doesn't seem to fit with the criticality of this".

Poppa based his speculation on how Microsoft rated the vulnerability for the different versions of Windows.

"It mostly affects the workstations, and not servers," he said, referring to the important rating for Windows Server 2003 and the critical label for XP and Vista.

"It might be [a fix for] a service that's not turned on by default on Windows 2003, but is on XP and Vista. It could be something like Remote Desktop, for example."

The second update scheduled for next week affects all versions of Windows except Vista. Because Microsoft classified it as a "local elevation of privilege" - which typically means that an attack requires local access - it ranked the vulnerability as important across the board.

Microsoft also plans to release five nonsecurity, high-priority updates via Microsoft Update and Windows Server Update Services (WSUS), and two nonsecurity, high-priority updates for Windows on Windows Update and WSUS. Microsoft Update downloads and installs not only fixes for Windows, but also updates for Office and several other Microsoft products.

The two updates and their associated explanatory bulletins will go live Tuesday.


IDG UK Sites

How to use an Apple Watch: Everything you need to know about the Apple Watch

IDG UK Sites

Why Scottish Tablet is better than the iPad mini

IDG UK Sites

How Microsoft's HoloLens AR headset will work without needing a computer or phone

IDG UK Sites

Apple MacBook 1.1 GHz review (Retina, 12-inch, Early 2015): The future of Apple laptops