Happy New Year! I hope that you all had a joyous and safe holiday season! I think that it is possible that both the "bad guys" and Microsoft took a break over the last month (or maybe called a truce?), because this Patch Tuesday is just about patch free! On the other hand, mid-December saw our second out-of-band patch of the year to fix an insanely ugly problem in Internet Explorer. Maybe that was the "ride into the sunset" for 2008?
Security patchesMS09-001/KB958687 — Critical (2000, XP, 2003) / Moderate (Vista, 2008): This patch corrects a number of problems in the SMB protocol (used for file sharing), which can allow one of the dreaded "remote code execution" attacks. Of course, you should not have Windows file sharing available over the Internet, so hopefully your exposure is limited to internal attacks. This patch affects every version of Windows from 2000 through present, both 32-bit and 64-bit flavors, and it affects Server Core as well. You should install this patch immediately on pre-Vista/2008 machines. For Vista and 2008, while the rating is "moderate," I would suggest installing it now anyway.
Other updates"The Usual Suspects": Updates to the Malicious Software Removal Tool and Junk Email filters. Changed, but not significantly: There are minor metadata updates to SP3 for XP and KB956803 for XP and 2003, which do not alter the binaries at all. There is also a correction to KB952069 (2000, XP, 2003, Vista, 2008) to correct it from being offered after being installed.
Updates since the last Patch TuesdayThe big news here is the out-of-band patch released on December 17, to fix MS08-078/KB960714. This was a particularly nasty and publicly disclosed bug. If you have not installed it yet and have users who use IE, stop what you are doing and make plans to install it tonight.
Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!
Justin James is the Lead Architect for Conigent.