Microsoft to Issue Emergency Security Update Today ... Washington Post 10/23/2008

[Guest guest]

http://voices.washingtonpost.com/securityfix/?hpid=news-col-blogs Krebs on Computer Security Posted

at 10:58 AM ET, 10/23/2008 Microsoft

to Issue Emergency Security Update Today Microsoft said late Wednesday that it plans to break out

of its monthly patch cycle to issue a security update today for a critical

vulnerability in all supported versions of Windows.

Redmond rarely releases security patches outside of

Patch Tuesday, the second Tuesday of each month. The software giant isn't

providing many details yet, but the few times it has departed from its Patch

Tuesday cycle it has always done so to stop the bleeding on a serious security

hole that criminals were using to break into Windows PCs on a large scale. By Security Fix's count, this would be the

fourth time since January 2006 that

Microsoft has deviated from its monthly patch cycle to plug security holes. As

shown by the stories in the linked examples above, Microsoft has fixed

problems, each time, that were being actively exploited by bad guys to break

into PCs. Microsoft's advanced notification bulletin

says the problem is critical on Windows 2000, Windows XP

and Windows Server

2003, meaning this is a vulnerability that can be

exploited through little or no help from the user.

Redmond 's labels the flaw "important" on Windows Vista

and Windows Server

2008 machines. Microsoft is expected to push out the update

around 1:00 p.m. ET. The company also will reveal more details about the patch

in a special Webcast. I'll

have more information on this update as soon as the patch is out and details

are released. Stay tuned. Update, 12:00 p.m.: Corrected the time Microsoft

is expected to release this patch today. Update, 12:45 p.m. ET: A source of mine received some information from

Microsoft saying the vulnerability stems from a critical, wormable problem in

the Windows server message block service,

a component of Windows used to provide shared access to files, printers, and

other communications over a network. My source, who asked not to be identified

because Microsoft has not yet publicly discussed the details, said

Redmond has acknowledged

that criminals have for the past three weeks been using the vulnerability to

conduct targeted attacks. The source said that so far, fewer than 100 targeted

attacks leveraging this flaw have been spotted by Microsoft's security team,

but that Microsoft was rushing out this patch because the number of attacks

appears to be increasing of late. Update, 1:31 p.m.: Microsoft has released the update, MS08-067, which will

soon hit Windows update as well. My source told me this was an SMB flaw, but he

was only partly right. The vulnerability lies with the Windows Server

service, and more specifically with Microsoft's implementation of "remote

procedure call" (RPC), a communications technology deeply embedded in the

Windows operating system that allows a program to execute another process on a

remote system. RPC vulnerabilities are extremely dangerous, as they can be used

by a computer worm to spread malicious software to machines on a network with

lightning speed. The infamous "Blaster worm" that attacked

Microsoft and infected millions of Windows PCs in Aug. 2003 is probably the

most recognizable example of malware exploiting an RPC flaw. Microsoft does not release these so-called

"out-of-band" updates lightly. I would highly recommend applying this

patch as soon as possible, either by visiting Windows

Update or enabling Automatic Updates. A

quick scan with Windows Update on my Vista system offered the patch, which installed without incident (requires a reboot).