Microsoft Preps Windows Security Fix for Patch Tuesday

Use Netsparker


Many users are expecting a patch for the Microsoft IIS Semicolon Bug, but from the recently published bulletin by Microsoft it seems that is highly unlikely during this patch cycle.

Microsoft Security Bulletin Advance Notification for January 2010

It seems they will only be pushing out a fairly low priority fix which is rated critical only for Windows 2000 users.

In its first Patch Tuesday of the year, Microsoft is planning to plug a Windows security hole rated critical for Windows 2000 systems. A fix for a Server Message Block protocol vulnerability is still being worked on, Microsoft says.

Microsoft is kicking off the new year with a single Windows security bulletin. The first Patch Tuesday release of 2010 will contain a fix rated “critical” for Windows 2000 users and low for others. According to Microsoft’s pre-Patch Tuesday notification, the bulletin addresses a remote code execution vulnerability, and the exploitability index—the rating system that predicts the likelihood of a successful exploit—is not high.

The single bulletin means that a fix for the SMB (Server Message Block) protocol vulnerability the company warned users about in November is not on the menu to be fixed by Jan. 12. According to Microsoft Security Program Manager Jerry Bryant, the company is still working on the issue.

The critical SMB bug we published back in November is not slated to be fixed either.

So as usual, disable public access to your SMB ports! And of course…don’t hold your breath for a fix, if we’re lucky it may get rolled into the February patch cycle.

“We are not aware of any active attacks using the exploit code that was made public for this vulnerability and continue to encourage customers to follow the guidance in the advisory which outlines best practices to help protect systems against attacks that originate outside of the enterprise perimeter,” Bryant wrote on the Microsoft Security Response Center blog.

Microsoft is also not releasing a patch for the IIS (Internet Information Services) problem reported in late December. According to Microsoft, the issue is not an actual vulnerability in IIS 6.0, but an inconsistency in how it handles semicolons that can only be exploited if IIS is configured in a vulnerable setting.

This month’s Patch Tuesday release is slated to be available at 1 p.m. EST, Jan. 12.

Not being aware of any public exploitation isn’t really a valid excuse is it? Since when do blackhats go around telling everyone exactly what they are up to?

People could and probably are getting pwned left right and center and no one will have any idea how.

They are skating around the IIS issue too, even if it’s a vulnerability caused by settings (yes settings can mitigate it) they should push out something to solve the problem (an updated config for example).

Source: eWeek

Posted in: Exploits/Vulnerabilities, Web Hacking

, , , , ,


Latest Posts:


BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.


2 Responses to Microsoft Preps Windows Security Fix for Patch Tuesday

  1. droope January 13, 2010 at 1:42 am #

    That sucks. It’s a lesson, as I’ve said before: “Do not trust your server’s security to Microsoft”.

    They’ve had the chance to fix it… Perhaps they think acknowledging the bug might get them into trouble?

  2. T2t January 13, 2010 at 3:13 pm #

    It’s a case of the king with the invisible cloak… if they don’t acknowledge the problem it doesn’t exist.

    And the rest of us our left to fend for ourselves. The problem is those of us that read posts like these can protect ourselves… it’s the layman that suffer for Microsofts ignorance. I feel for those network admins in small business that got stuck in that position because they happen to know a little more than others in their office.