Microsoft started 2009 by fixing just one security flaw in its software; this month's Patch Tuesday only had a single security bulletin, MS09-001.

The security update kills three birds with one stone: two privately reported vulnerabilities and one publicly disclosed vulnerability. This is possible since all three problems, which could allow remote code execution and give an attacker full user rights, are found in the Microsoft Server Message Block (SMB) Protocol.

While Microsoft issued the patch for Windows 2000, Windows XP (x86 and x64), Windows Server 2003 (x86 and x64), Windows Vista (x86 and x64), and Windows Server 2008 (x86 and x64), the company left Windows 7 out of the party. Microsoft gave the following explanation for this decision:

We know that there might be some questions about the beta version of Windows 7 and today's bulletin. Windows 7 is affected only by the SMB Validation Denial of Service Vulnerability (CVE-2008-4114) and, like Windows Vista and Windows Server 2008, would be rated as Moderate because the vulnerability would require authentication for any attack to succeed. We provide security updates for beta versions of Windows through Windows Update for Critical issues only. So the SMB Validation Denial of Service Vulnerability (CVE-2008-4114) will be addressed in the next public release for Windows 7.

Coupled with the patch for the MP3 corruption issue, this should squash any speculation saying that Microsoft does not bother patching beta software. Still, I'm not sure I agree with the step the company is taking considering the millions that have downloaded (and still can until January 24) and installed the beta. Hopefully, the fact that Microsoft isn't bothering with a patch means that a release candidate build isn't too far off.

Further reading: