Microsoft Issuing Critical Off-schedule Patch

Update: Microsoft today is issuing a rare, 'out-of-cycle' patch for a critical vulnerability found in some Windows desktop and server operating systems.

The 'critical' vulnerability, so rated for Windows 2000, XP and 2003, has the potential to grant hackers remote access to a system via Windows' Server service. The vulnerability carries an 'important' rating for Windows Vista and Server 2008 and the company is warning of the possibility of 'wormable' exploit code.

According to a bulletin published by the company (MS08-067), the danger comes from the way the service handles RPC requests, or rather how it improperly handles specially crafted remote procedure call (RPC) requests. Microsoft states that a properly configured firewall mitigates the effects of this vulnerability.

In Vista, Server 2008, and Windows 7 Pre-Beta, the company explains, "the vulnerable code path is only accessible to authenticated users" reducing the likelihood of a successful attack by a unauthenticated remote hacker.

Microsoft's Windows Server service FAQ sheds some light as to why the company is moving quickly to resolve the matter:

The Server service provides RPC support, file and print support, and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC.

Tyler Reguly, a security engineer for nCircle, a provider of network security and PCI compliance products and services, illustrates the data theft issues and liability risks for businesses.

"We also have to consider what this could mean to smaller retailers focused on PCI compliance. I worked for a small business in the past where they had SBS [Small Business Server] 2000 directly connected to the internet, and traffic was being routed through that server. Setups like this do exist and they are vulnerable."

In the Microsoft Security Response Center Blog, Christopher Budd reveals that the company has released signatures for Microsoft Forefront and OneCare to combat exploits already in the wild (Win32/MS08067.gen!A). Microsoft is also sharing malware detection information (TrojanSpy:Win32/Gimmiv.A and TrojanSpy:Win32/Gimmiv.A.dll) with partners. The free, online Windows Live OneCare safety scanner has also been updated with the new signatures.

Ziv Mador of the Microsoft Malware Protection Center explains the malware's MO.

Currently, attacks try to download a trojan named n2.exe to the victim’s computer and there are now two different versions of this binary. Our products are able to detect both files as TrojanSpy:Win32/Gimmiv.A. This trojan drops another DLL that we detect as TrojanSpy:Win32/Gimmiv.A.dll. The malware deletes itself after it executes so you may not find it even on systems that were previously infected.

Users are strongly encouraged to update immediately, says Reguly. The reason: Microsoft's outreach efforts are a clarion call for malware writers.

"Something that people need to remember is that a patch is released out-of-band for a reason. I'd suggest patching this immediately. This is being seen in 'limited, targeted attacks' according to Microsoft." He adds, "While the first thing that comes to mind with a patch is protection, malicious individuals are thinking, 'Yes, we can see where the vulnerability is.' This means it's easier for hackers to develop exploit code to take advantage of this vulnerability."

Microsoft is also planning to keep the community abreast of the situation via a webcast slated for October 23rd, 1:00 PM Pacific Time.