We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Microsoft to issue two Windows patches next week

One critical, the other important

Microsoft will issue just two security updates next week, the company said yesterday.

The updates will fix flaws in Windows, Microsoft said in the prepatch notice. One will be rated "critical", the company's most serious ranking, while the other will be tagged as "important", the next-lower rating.

Tuesday's critical update is expected to patch a remote code execution vulnerability found in all currently supported versions of Windows, ranging from Windows 2000 SP4 to Windows Vista. The bug is especially threatening to users of Windows XP and Vista, according to Microsoft.

The company ranked the flaw critical to those operating systems, but important to Windows Server 2003 and "moderate" to Windows 2000. Visit Security Advisor for the latest PC security news, reviews, tips and tricks.

Although Microsoft provides only bare-bones information in its prepatch notification, this update may be a fix for the Web Proxy Auto-Discovery (WPAD) bug that the company's security team acknowledged a month ago, but didn't fix in time to make the December 11 batch of updates.

The WPAD vulnerability - actually a flaw in how Windows PCs look up DNS information - was originally patched in 1999, but resurfaced recently when a researcher pointed out that it had crept back into later versions of Windows.

Ryan Poppa, lead research engineer at nCircle, however, had a different idea. "I'm leaning toward something else," said Poppa, "because WPAD doesn't seem to fit with the criticality of this".

Poppa based his speculation on how Microsoft rated the vulnerability for the different versions of Windows.

"It mostly affects the workstations, and not servers," he said, referring to the important rating for Windows Server 2003 and the critical label for XP and Vista.

"It might be [a fix for] a service that's not turned on by default on Windows 2003, but is on XP and Vista. It could be something like Remote Desktop, for example."

The second update scheduled for next week affects all versions of Windows except Vista. Because Microsoft classified it as a "local elevation of privilege" - which typically means that an attack requires local access - it ranked the vulnerability as important across the board.

Microsoft also plans to release five nonsecurity, high-priority updates via Microsoft Update and Windows Server Update Services (WSUS), and two nonsecurity, high-priority updates for Windows on Windows Update and WSUS. Microsoft Update downloads and installs not only fixes for Windows, but also updates for Office and several other Microsoft products.

The two updates and their associated explanatory bulletins will go live Tuesday.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia