Establishing Digital Trust: Don't Sacrifice Security for Convenience
Microsoft has been patching a lot of "critical" holes in its software this year, but the volume of fixes has seemed to be either deluge or drought.
For May's "Patch Tuesday" event, for instance, the company delivered just two patches and only one of those is ranked critical. That one patch, though, should be enough to make IT managers take notice.
However, in April, Microsoft (NASDAQ: MSFT) released a raft of patches -- a total of 17 patches, nine of them scoring critical on Microsoft's four-tier severity scale.
In March, though, the company only fielded three patches, one of which rated as critical.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
And in February, Microsoft released some 22 patches, six critical.
So it may seem to many security managers that May's single critical patch may be less important to install right away. That could be a mistake.
That one critical patch fixes a security hole in a component of Windows Servers 2003 through 2008 Release 2 (R2). The hole is in what's called the Windows Internet Name Service (WINS), which is similar to DNS. WINS provides name services to networks that support NetBIOS over TCP/IP.
Luckily, WINS, which isn't used much anymore, is not installed on a lot of Windows Servers.
"By default, WINS is not installed on any affected operating system. Only customers who manually install this component are affected by this issue," Microsoft's security bulletin said.
Although that is true, some analysts say the problem may be complicated by the fact that some older applications do use WINS and have it installed on their servers.
"The problem here is that many third-party applications use WINS, especially legacy applications. WINS is widely deployed in government and commercial networks," Marcus Carey, community manager at security firm Rapid7, told InternetNews.com in an emailed statement.
Paul Henry, forensic and security analyst at researcher Lumension echoed that sentiment.
"The critical patch [for the] vulnerability in WINS addresses an issue with all supported versions of Windows server and exposes the server to a remote code execution attack; thus, it should be a high priority if you are running any of the Windows server platforms," Henry said in an email to InternetNews.com.
"Since Windows Server 2003, WINS was optional, but many people found that it broke things when it was disabled ... Organizations should test and deploy this update as soon as possible," Carey added.