Microsoft Ships One Critical Patch This Month


Microsoft is giving security professionals some needed time off with January's "Patch Tuesday" bug fix release.

After a recent string of some of the largest security patch releases in the company's history, Microsoft (NASDAQ: MSFT) only had two patches for security administrators to test and deploy on Tuesday. Of those, only one ranked as "critical," the top rating on the company's four-tier severity scale.

Last month, in comparison, Microsoft released 17 patches that fixed a total of 40 security flaws in its products.

Additionally, in October, Microsoft shipped 16 patches that fixed 49 security holes.

In contrast, the two patches for January contain a total of three bug fixes, and only one of those is rated critical.

The company normally releases all of the patches it has ready to go on the second Tuesday of the month, earning it the name Patch Tuesday. On the Thursday prior to that date, Microsoft releases a short summary notification describing what tasks will necessary, such as whether or not systems need a reboot or not. (Both patches for January "may" require rebooting.)

This month's sole critical patch fixes one critical security vulnerability and one important vulnerability in Windows.

The hole has to do with how a technology in Windows validates what are called Microsoft Data Access Components (MDAC).

A Microsoft Security Bulletin said that neither of the flaws in the critical patch had been published on the Web or used for attacks in the wild. However, the critical flaw could be used for drive by downloads, and complete system compromise, just by the user visiting a booby-trapped site.

"The first vulnerability is rated critical for Windows XP, Vista and Windows 7 and the second rated important for all supported versions of Windows Server," Carlene Chmaj, senior security response communications manager, said in a post to the Microsoft Security Response Center (MSRC) blog.

At least there is one piece of good news around the critical bug, according to one security researcher.

"The first vulnerability cannot be exploited through Microsoft software. The vulnerability may be exploited through third party software if a user browses to a malicious website," Jason Miller, data team manager with Shavlik Technologies, said in an e-mail to

Meanwhile, the vulnerability fixed by the other patch, even though it is only ranked as important, has been publicly disclosed, according to Microsoft. Additionally, it only affects Windows Vista systems.

Stuart J. Johnston is a contributing writer at, the news service of, the network for technology professionals. Follow him on Twitter @stuartj1000.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.