Microsoft kept things to a minimum with its first set of security updates for 2009, but corporate system administrators who were expecting a quiet week got something else altogether, thanks to Oracle and Research In Motion.
Oracle is expected to release its quarterly Critical Patch Update Tuesday, which will include 41 security patches in its database and enterprise software products. On Monday, RIM released an “interim” patch for its BlackBerry Enterprise Server and BlackBerry Professional Software, fixing a critical flaw in the way those servers process PDF documents.
Microsoft’s update is important, too. It fixes three bugs in the Windows Server Message Block (SMB) file and print service. “An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said in its Security Bulletin explaining the problem.
The update is rated critical for Windows 2000, XP and Windows Server 2003, but moderate for Vista and Windows Server 2008.
Because of the nature of these flaws, Microsoft doesn’t think that it’s likely that attackers will be able to write attacks that let them install unauthorized software on a victim’s machine, but one hacker has already released code that he says can be used to make an unpatched Vista system crash. That’s known as a Denial of Service (DoS) attack.
In a Tuesday blog posting explaining the risks of an attack, Microsoft said that corporate users should patch “SMB servers and Domain Controllers immediately since a system DoS would have a high impact,”
Although there will be a lot of new enterprise patches by day’s end, Qualys Chief Technology Officer Wolfgang Kandek said he expected that most users would start with the Microsoft fix and take much more time to test the Oracle and BlackBerry updates. “People have high value systems running on this, so they’re very leery to disrupt their operations,” he said.