Microsoft to Squish One Lonely Bug on Tuesday

For system administrators who have felt under the gun in recent months as Microsoft patched record numbers of critical security bugs in its products, January should be a skate.

That’s because next Tuesday — the second Tuesday of the month, also known as “Patch Tuesday,” the day Microsoft (NASDAQ: MSFT) issues most of its patches for the month — only has one patch for a single bug. And that bug is only really dangerous to those running the oldest supported version of the Windows operating system.

In contrast, several recent Patch Tuesday drops fixed record numbers of critical security bugs in Microsoft products.

Additionally, Tuesday’s single patch is rated critical — the highest level of Microsoft’s four-tier security threat severity scale — only for Windows 2000 Service Pack 4 (SP4).

Although other versions of Windows are affected by the bug, including Windows Server 2003, 2008 and 2008 R2, as well as XP, Vista, and Windows 7, the security rating for those systems is listed as low, the lowest tier of the scale.

The warning came in Microsoft’s advance notice, which it releases the Thursday before the actual patch release in order to give system administrators advance warning of how much work to expect.

Still investigating Windows 7 exploit code

Microsoft also admitted on its Security Response Center blog that the company will not patch a bug identified in November that causes Windows 7 to crash.

“We are still working on an update for the issue at this time. We are not aware of any active attacks using the exploit code that was made public for this vulnerability,” a company spokesperson said in the blog post.

The Windows 7 bug was discovered in a networking protocol called System Message Block or SMB. Crashing the system results in a denial-of-service but doesn’t compromise the user’s PC. Microsoft issued a Security Advisory at the time, offering a workaround that blocks communications ports that are used by the protocol.

However that can cause important communications functions to no longer work, including group policies and file and print sharing, the November advisory said.

Meanwhile, it may be that Tuesday is one of those rare days when system administrators can put their feet up on the desk and relax.

“Let’s hope that IT admins can savor this unusually reduced patch release as they kickoff the New Year and use the time to prepare for the numerous updates and patches that are still yet to come in order to resolve the current SMB denial-of-service problems,” Paul Henry of Lumension Security said in a statement e-mailed to

News Around the Web