Microsoft is only planning to release one bulletin on its first Patch Tuesday of 2010 and will not address an existing vulnerability in SMB that could allow a denial-of-service attack.
In an advance notification, Microsoft Security Response Center security program manager Jerry Bryant said that one bulletin addressing a single vulnerability in Windows will be released. This will address a remote code execution vulnerability that is only in Windows 2000, and may require a restart.
He said that the vulnerability is critical on Windows 2000 and low for all other platforms, although the Exploitability Index rating for this issue will not be high which lowers the overall risk.
Bryant said: “I also want to proactively point out that we will not be addressing security advisory 977544 (vulnerability in SMB that could allow denial-of-service attack). We are still working on an update for the issue at this time.
“We are not aware of any active attacks using the exploit code that was made public for this vulnerability and continue to encourage customers to follow the guidance in the advisory which outlines best practices to help protect systems against attacks that originate outside of the enterprise perimeter.”
Matthew Walker, regional director for UK & Ireland at Lumension, said: “A belated Christmas present to all IT administrators is expected from Microsoft next Tuesday, in the form of what's expected to be the lightest Patch Tuesday we've seen in years.
“Let's hope that IT administrators can savour this unusually reduced patch release as they start the New Year. Perhaps they can use the time to prepare for the numerous updates and patches yet to come and also resolve the current SMB denial-of-service problems, the MySQL zero-day rumours and the latest Adobe PDF issue.
“Bear in mind that patches for these issues are around the corner. Just because they aren't being addressed with the first patch bulletin of the year doesn't mean that IT administrators should not keep a close eye out for them shortly.”