Microsoft Releases Emergency Security Patch
Date : 23 Oct 2008 Category : Technology
NewsFactor NetworkNews of the patch first appeared in a brief blog posting by MSRC security program manager Christopher Budd, who wrote that "I wanted to let you know that we've just posted an advance notification for an out-of-band bulletin release. We plan to release one Windows security bulletin with a maximum severity of critical; scheduled for a target time of 10:00 a.m. PT on Thursday Oct. 23, 2008. A restart will be required."
Microsoft was hosting a special Webcast Thursday afternoon to discuss the threat in detail.
'Wormable' Flaw
The patch is intended to prevent hostile code from executing specifically constructed remote procedure calls on vulnerable systems. It is described as critical for every flavor of Windows from XP forward.
So far, there are relatively few details about how the security hole might be exploited, and no indication that it has been. Preliminary reports, however, have described it as a "wormable" flaw -- i.e., a software weakness that could be exploited without any action on the part of the user.
Some preliminary information about the nature of the threat was contained in an updated Microsoft Security Bulletin Summary for October 2008. Under the dry heading of Vulnerability in Server Service Could Allow Remote Code Execution, Microsoft says that "consistent exploit code has been discovered in limited, targeted attacks, affecting Windows XP and Windows Server 2003."
The summary linked to the more specific Microsoft Security Bulletin MS08-067-Critical, which states that "On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that...