Network News

X My Profile
View More Activity

Microsoft to Issue Emergency Security Update Today

Microsoft said late Wednesday that it plans to break out of its monthly patch cycle to issue a security update today for a critical vulnerability in all supported versions of Windows.

Redmond rarely releases security patches outside of Patch Tuesday, the second Tuesday of each month. The software giant isn't providing many details yet, but the few times it has departed from its Patch Tuesday cycle it has always done so to stop the bleeding on a serious security hole that criminals were using to break into Windows PCs on a large scale.

By Security Fix's count, this would be the fourth time since January 2006 that Microsoft has deviated from its monthly patch cycle to plug security holes. As shown by the stories in the linked examples above, Microsoft has fixed problems, each time, that were being actively exploited by bad guys to break into PCs.

Microsoft's advanced notification bulletin says the problem is critical on Windows 2000, Windows XP and Windows Server 2003, meaning this is a vulnerability that can be exploited through little or no help from the user. Redmond's labels the flaw "important" on Windows Vista and Windows Server 2008 machines.

Microsoft is expected to push out the update around 1:00 p.m. ET. The company also will reveal more details about the patch in a special Webcast. I'll have more information on this update as soon as the patch is out and details are released. Stay tuned.

Update, 12:00 p.m.: Corrected the time Microsoft is expected to release this patch today.

Update, 12:45 p.m. ET: A source of mine received some information from Microsoft saying the vulnerability stems from a critical, wormable problem in the Windows server message block service, a component of Windows used to provide shared access to files, printers, and other communications over a network. My source, who asked not to be identified because Microsoft has not yet publicly discussed the details, said Redmond has acknowledged that criminals have for the past three weeks been using the vulnerability to conduct targeted attacks. The source said that so far, fewer than 100 targeted attacks leveraging this flaw have been spotted by Microsoft's security team, but that Microsoft was rushing out this patch because the number of attacks appears to be increasing of late.

Update, 1:31 p.m.: Microsoft has released the update, MS08-067, which will soon hit Windows update as well. My source told me this was an SMB flaw, but he was only partly right.

windup.jpg

The vulnerability lies with the Windows Server service, and more specifically with Microsoft's implementation of "remote procedure call" (RPC), a communications technology deeply embedded in the Windows operating system that allows a program to execute another process on a remote system. RPC vulnerabilities are extremely dangerous, as they can be used by a computer worm to spread malicious software to machines on a network with lightning speed. The infamous "Blaster worm" that attacked Microsoft and infected millions of Windows PCs in Aug. 2003 is probably the most recognizable example of malware exploiting an RPC flaw.

Microsoft does not release these so-called "out-of-band" updates lightly. I would highly recommend applying this patch as soon as possible, either by visiting Windows Update or enabling Automatic Updates. A quick scan with Windows Update on my Vista system offered the patch, which installed without incident (requires a reboot).

By Brian Krebs  |  October 23, 2008; 10:58 AM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: A Primer on Web Browser Privacy Tools
Next: Data-Stealing Trojan Exploiting Just-Patched Windows Flaw

Comments

I got the notification about the update with a pop-up window to the shield in the task bar. The update installation seemed to be about Windows Genuine Advantage.

If this is accurate, is this worth the hassle? Why would Microsoft issue a non-standard patch for WGA?

Posted by: blasher | October 23, 2008 11:39 AM | Report abuse

Posted by: jaiderbertoli | October 23, 2008 12:24 PM | Report abuse

Not SMB per se -- it's RPC.

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

Posted by: joelmoses | October 23, 2008 1:00 PM | Report abuse

The webcast is scheduled for 1PM PDT (4PM EDT) but don't bother if you haven't registered already. No more connections to the webcast are being created. Thanks, Microsoft. How hard would it be to let everyone see it?

I'm going to bet that the update is not being released until 4PM EDT vice Brian's 1PM ET. Check your time zones please.

DLD

Posted by: DLDx | October 23, 2008 1:12 PM | Report abuse

Posted by: Brian Krebs | October 23, 2008 1:15 PM | Report abuse

This update is already available on Windows Update. 10:11 PDT

Posted by: eteonline | October 23, 2008 1:16 PM | Report abuse

Yep, and it's dated yesterday! After I checked my work machine it appears that it was downloaded, but not installed, this morning.

Still don't get to see the webcast, not in real time anyway.

DLD

Posted by: DLDx | October 23, 2008 1:53 PM | Report abuse

It's in the wild -

http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html

Gimmiv.A exploits critical vulnerability (MS08-067)

Critical vulnerability in Server Service has only been patched by Microsoft (MS08-067), as a new worm called Gimmiv.A has found to be exploiting it in-the-wild.
...

Posted by: moike | October 24, 2008 8:24 AM | Report abuse

Microsoft has an explanation of the bug here http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx

Note: This is a code analysis piece, so very technical. For the non-techie the important part is this:

"Over the last year or so I've noticed that the security vulnerabilities across Microsoft, but most noticeably in Windows have become bugs of a class I call "onesey - twosies" in other words, one-off bugs. There is a good side and a bad side to this. First the good news; I think perhaps we have removed a good number of the low-hanging security vulnerabilities from many of our products, especially the newer code. The bad news is, we'll continue to have vulnerabilities because you cannot train a developer to hunt for unique bugs, and creating tools to find such bugs is also hard to do without incurring an incredible volume of false positives."

Posted by: wiredog | October 24, 2008 10:18 AM | Report abuse

I am not sure if you even look at the comments, but if you do I have a unique issue from this update.

I am a Website Designer (whole site construction) I went to view a new design I have been working on today and the button in the form suddenly had a white box around it indicating the transparency was not being read on my image.

So I thought, must be a MS glitch in their browsers. NOPE! All of the sudden (in ALL browsers) on XP Pro my transparencies in the submit button were gone.

Do you know anything about this issue? Will it only be that way on the computer I am using to check, but not the web itself. Would you take the time to look into this? I know you write on security, but this is definitely because of the update.
Help!

Posted by: GoneGoneGone1 | October 24, 2008 1:48 PM | Report abuse

This is why I'm reading this article on a Ubuntu based computer. 20+ years of dealing with Microsoft's "critical" updates. Why people keep supporting this company and their attitude about using users as test platforms for discovering their security leaks will remain a deep mystery.

Posted by: fmschiav | October 24, 2008 6:34 PM | Report abuse

Could you please DATE your articles or at least tell us when "today" is in the title? Thanks.

Posted by: Bobthetechguy | October 29, 2008 10:39 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company