12.14.2004

Microsoft December Security Updates

This month brings us 6 vulnerabilities, 5 of which were announced today, and one (a critical IE vulnerability) which was announced on December 1st. Of these 6 vulnerabilities the IE critical vulnerability is the one that should be on everyone's radar screen. Those of you running Windows XP SP2 and Windows 2003 are not affected by this critical vulnerability. However, anyone running Windows 2000 or Windows XP with SP1 should investigate the December IE patch immediately.

The only other item of interest this month is the WINS vulnerability detailed in MS04-045. This vulnerability could allow remote code execution in certain circumstances, most likely on Windows 2000 servers. I added this patch to my recommended patch baseline list due to this fact. However, if you are not running the WINS service on a particular server, then you do not need to worry about this vulnerability. In some situations with smaller clients, I have installed WINS on AD domain controllers since those servers are typically under-utilized. If your network fits this scenario, it is imperative that you apply the WINS patch. Remote compromise of a WINS server is one thing-remote compromise of an AD domain controller is another.

Have a happy holiday season...