On December 14 Microsoft issued five new security bulletins. But as it turns out Microsoft issued another critical security update one day prior to their regular monthly bulletin release. A critical update for Windows Firewall that changes its behavior was released on December 13 and not announced to the public via the company's security bulletin service however the patch is listed at the company's Download Center.
According to Gary Schare, Product Director at Microsoft, the company only issues security bulletins for "code vulnerabilities" but didn't explain what constitutes such a vulnerability. It seems safe to assume that changes to software behavior due to previously unknown conditions--even if such changes are critical to enhanced security--will not be included in Microsoft security bulletins. Some people have expressed that they'd like to see such updates included in Microsoft's monthly security bulletins.
Those who do not keep the automatic update service constantly enabled or do not regularly visit the Download Center could remain unaware of the critical problem since the update isn't currently listed at any of the company's security-related Web sites.
Schare said that the company did post an article about the problem, "Making File and Printer Sharing Safer in Windows XP Service Pack 2," on their Windows XP home page back in September. The article offers tips on how to avoid exposing file and printer shares while using the Windows Firewall and the article will be updated to include information about the release of the update.
According to the related knowledge base article 886185 Windows Firewall users might find that after connecting to the Internet using a dialup connection that their machines are open to access by anyone, which explains the critical rating given to the patch by Microsoft.
When the firewall option "My network (subnet) only" is used Windows Firewall does not properly interpret local subnets. In some cases the firewall interprets the entire Internet as the local subnet. The error could lead to the exposure of all available system services including printer and file shares to anybody on the Internet. The KB article explains that this problem is due to the way some dialing software packages configure routing tables. Obviously anybody who relies on Windows Firewall for protection should download and install the update immediately.
In addition to the five new security bulletins issued on December 14 Microsoft also updated bulletin MS04-028, which relates to the JPEG Processing (GDI+) vulnerability, to inform customers that standalone updates are available for Microsoft .NET Framework 1.0 with SP2 and .NET Framework 1.1. Security updates are also available Visual FoxPro 8.0 including the runtime module. The company also released Windows Messenger 5.1 to fix the security issue related to bulletin MS04-28, as well as updated version of their Enterprise Update Scanning Tool .
On a more seasonal note, Microsoft released a new Christmas Theme for Windows XP users which includes "new wallpaper, animated cursors, new icons, new sounds and a 3D screensaver." Ho ho ho!
End of Article
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
