On December 14 Microsoft issued five new security bulletins. But as it turns out Microsoft issued another critical security update one day prior to their regular monthly bulletin release. A critical update for Windows Firewall that changes its behavior was released on December 13 and not announced to the public via the company's security bulletin service however the patch is listed at the company's Download Center.
According to Gary Schare, Product Director at Microsoft, the company only issues security bulletins for "code vulnerabilities" but didn't explain what constitutes such a vulnerability. It seems safe to assume that changes to software behavior due to previously unknown conditions--even if such changes are critical to enhanced security--will not be included in Microsoft security bulletins. Some people have expressed that they'd like to see such updates included in Microsoft's monthly security bulletins.
Those who do not keep the automatic update service constantly enabled or do not regularly visit the Download Center could remain unaware of the critical problem since the update isn't currently listed at any of the company's security-related Web sites.
Schare said that the company did post an article about the problem, "Making File and Printer Sharing Safer in Windows XP Service Pack 2," on their Windows XP home page back in September. The article offers tips on how to avoid exposing file and printer shares while using the Windows Firewall and the article will be updated to include information about the release of the update.
According to the related knowledge base article 886185 Windows Firewall users might find that after connecting to the Internet using a dialup connection that their machines are open to access by anyone, which explains the critical rating given to the patch by Microsoft.
When the firewall option "My network (subnet) only" is used Windows Firewall does not properly interpret local subnets. In some cases the firewall interprets the entire Internet as the local subnet. The error could lead to the exposure of all available system services including printer and file shares to anybody on the Internet. The KB article explains that this problem is due to the way some dialing software packages configure routing tables. Obviously anybody who relies on Windows Firewall for protection should download and install the update immediately.
In addition to the five new security bulletins issued on December 14 Microsoft also updated bulletin MS04-028, which relates to the JPEG Processing (GDI+) vulnerability, to inform customers that standalone updates are available for Microsoft .NET Framework 1.0 with SP2 and .NET Framework 1.1. Security updates are also available Visual FoxPro 8.0 including the runtime module. The company also released Windows Messenger 5.1 to fix the security issue related to bulletin MS04-28, as well as updated version of their Enterprise Update Scanning Tool .
On a more seasonal note, Microsoft released a new Christmas Theme for Windows XP users which includes "new wallpaper, animated cursors, new icons, new sounds and a 3D screensaver." Ho ho ho!
