Panic patch proves 2nd-Tuesday rule

In Friday's IT Blogwatch, Richi Jennings watches Microsoft scurry to fix a really, really serious vulnerability in every version of Windows. Not to mention the chimp riding a Segway in Japan...

Robert McMillan bobs his head:

Michael Howard (source: Microsoft)
Microsoft Corp. fixed a critical bug in its Windows operating system Thursday, saying that it is being exploited by online criminals and could eventually be used in a widespread "worm" attack.

Microsoft took the unusual step of issuing an emergency patch for the flaw several weeks ahead of its regularly scheduled November security updates, saying that vulnerability is being exploited in "limited targeted attacks."

...

The flaw lies in the Windows Server service, which is used to connect different network resources such as file and print servers over a network ... It could wreak havoc within corporate local area networks, much as the Zotob computer worm did back in 2005.
more

Dan Goodin goes all anthropomorphic on us:

'Critical' bug squashed ... an emergency security update for a broad swath of its users that patches a critical security hole that is already being exploited in the wild ... could allow miscreants to create wormable exploits that remotely execute malicious code on vulnerable machines ... No interaction is required from the end user.

...

The vulnerability stems from the failure of Windows server service to properly vet remote procedure call (RPC) requests for malicious content ... anonymous users with access to the target network could exploit the weakness by sending a specially crafted network packet to the affected system.

...

On the 2000, XP, and Server 2003 versions of Windows ... Microsoft rated the vulnerability as "critical" - its most severe designation ... [and] "important" for users of Vista and Server 2008 ... That's a testament to the work over the past few years by Microsoft's security team.
more

Brian Krebs stares at his calendar:

Redmond rarely releases security patches outside of Patch Tuesday, the second Tuesday of each month ... the few times it has departed from its Patch Tuesday cycle it has always done so to stop the bleeding on a serious security hole that criminals were using to break into Windows PCs on a large scale.

...

Criminals have for the past three weeks been using the vulnerability to conduct targeted attacks ... So far, fewer than 100 targeted attacks leveraging this flaw have been spotted by Microsoft's security team, but ... the number of attacks appears to be increasing of late.

...

Microsoft does not release these so-called "out-of-band" updates lightly. I would highly recommend applying this patch as soon as possible, either by visiting Windows Update or enabling Automatic Updates.
more

Patrik Runald agrees:

The reason for the out-of-band patch is that there is already malware actively using the vulnerability to infect computers, which we detect as Trojan-Spy:W32/Gimmiv.A. This trojan steals confidential information from the computer and sends it back to the attacker.

...

This is exactly the type of vulnerability Blaster and Sasser used to infect millions of computers back in 2003 and 2004 ... We recommend that everyone apply the update as soon as possible.
more

Grant J. Warkentin asks:

Why hasn't this been caught in the 3,000 previous security issues patched for Windows? It seems like kind of a biggie.

...

Why did it take so long to catch this one? The tinfoil hat backdoor NSA ... theories seem almost believable.
more

Microsoft's Michael "mugshot" Howard digs in deep:

I want to start by analyzing the code to understand why we did not find this bug ... The code in question is reasonably complex code to canonicalize path names; for example, strip out ‘..' characters and such to arrive at the simplest possible directory name. The bug is a stack-based buffer overflow inside a loop; finding buffer overruns in loops, especially complex loops, is difficult to detect.

...

I'll be blunt; our fuzz tests did not catch this and they should have. So we are going back to our fuzzing algorithms and libraries to update them accordingly.
more

But Yohann Drakkenmensch is a furry cynic:

You know that a vulnerability is bad when Microsoft goes out of its regular patching cycle to hurry and plug the hole so quickly, instead of following their usual philosophy of ... quietly patching it a few months later amidst a flood of inocuous driver updates.
more

And finally...

Buffer overflow:

Other Computerworld bloggers:

Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 23 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

Copyright © 2008 IDG Communications, Inc.

 
Shop Tech Products at Amazon