New Microsoft patch gets DHS push
Rare step engendered by Windows Server vulnerability
IDG News Service -
The U.S. Department of Homeland Security warned Wednesday that a recently patched Microsoft Corp. Windows vulnerability could put the nation's critical infrastructure at risk.
The patch, described in Microsoft Security Bulletin MS06-040, relates to Windows Server services. It was one of 12 updates issued Tuesday by the software maker, but security experts are particularly concerned with the bug because hackers have already exploited the vulnerability.
Microsoft is advising customers to give this update priority, said Christopher Budd, a security program manager at Microsoft's security response center. "The top thing that we're trying to help people understand is we want them to take 06-040 and put it at the top of the stack," he said late Tuesday.
The DHS statement echoed Microsoft's sentiments, warning that the vulnerability "could impact government systems, private industry and critical infrastructure, as well as individual and home users."
Attackers have already started exploiting the vulnerability in a limited manner, Budd said. A sample exploit has been published within Immunity Inc.'s security testing tool kit, and snippets of the malware are beginning to circulate in public, security vendors said.
The bug is of particular concern because Windows Server services are generally enabled by default on Windows systems, and a worm based on the flaw could become widespread. Windows Server services are used for common network applications such as file sharing and printing.
The fact that DHS has taken the rare step of warning about MS06-040 underscores the severity of the situation, said Jonathan Bitle, manager of technical accounts at Qualys Inc.
But because security-conscious companies are blocking the Internet ports used by this malware -- Ports 139 and 445 -- any worm will have a hard time jumping from one corporate network to another, Bitle said. "It will probably be the type of situation where if a worm does come out, it will hit sporadically through different companies where they haven't been able to apply the patches or put the controls in place," he said.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts