“Patch Tuesday is the second Tuesday of each month, and that’s when Microsoft typically releases security and other updates for their products. Sometimes an emergency requires an “out-of-band” patch. And today, October 23rd, Microsoft is pushing out a critical Windows security patch.
Not much has been said about the release, however. They are planning to release the Windows patch at 10 AM PDT, with a Webcast to cover specifics of the patch at 1 PM PDT. However, Webcast registration is already full.
Microsoft hasn’t offered many details about the patch, other than to say it is critical and should be applied immediately to Windows 2000, Windows XP, and Windows Server 2003 systems. For Windows Vista and Windows Server 2008, the patch is only deemed (only) “important” rather than critical.
The last time Microsoft released an “out-of-band” patch was April 2007, according to a Microsoft representative.
Update: It’s this one and it looks pretty bad. Remote code execution could allow an attacker to take over your system.
Microsoft Security Bulletin MS08-067
This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.
Maximum Severity Rating
Impact of Vulnerability
Remote Code Execution
Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Microsoft Windows. For more information, see the Affected Software and Download Locations section.
The Microsoft Security Response Center said the following:
This security update resolves a vulnerability in the Server service that affects all currently supported versions of Windows. Windows XP and older versions are rated as “Critical” while Windows Vista and newer versions are rated as “Important”. Because the vulnerability is potentially wormable on those older versions of Windows, we’re encouraging customers to test and deploy the update as soon as possible. To help you better understand the details around the vulnerability, my colleagues over at the Security Vulnerability Research & Defense blog have provided some more information here. Also, Michael Howard has provided some background on the vulnerability from the Security Development Lifecycle perspective here.
In addition, to releasing a security update to address the vulnerability, we’ve also taken steps to help enable broader protections for customers. Specifically, our colleagues in the Microsoft Malware Protection Center have released updated signatures that can enable Microsoft Forefront and Microsoft OneCare to protect against current attempts to exploit the vulnerability (Exploit:Win32/MS08067.gen!A). You can read about what they’re doing to help protect here. We have also provided information to our security partners in our Microsoft Active Protections Program and our Microsoft Security Response Alliance Program. We encourage all customers to update the signatures for their security protection products to help provide protections while they’re testing and deploying these updates.
We discovered this vulnerability as part of our research into a limited series of targeted malware attacks against Windows XP systems that we discovered about two weeks ago through our ongoing monitoring. As we investigated these attacks we found they were utilizing a new vulnerability and initiated our Software Security Incident Response Process (SSIRP). As we analyzed the vulnerability in our SSRP process, we found that this vulnerability was potentially wormable on Windows XP and older systems. Our analysis also showed that it would be possible to address this vulnerability in a way that would enable us to develop an update of appropriate quality for broad distribution quickly. Based on those two factors, we felt that it was in the best interest of customers for us to release this update before the regular November release cycle.”