MS ships emergency patch for Windows worm hole

MS ships emergency patch for Windows worm hole

Summary: Microsoft has released an out-of-band patch to fix an extremely critical worm hole that exposes Windows users to remote code execution attacks.The emergency update comes just one week after the regularly scheduled Patch Tuesday and follows the discovery of a targeted zero-day attack, Microsoft said in an advisory.


windows_bullet_holes.jpgMicrosoft has released an out-of-band patch to fix an extremely critical worm hole that exposes Windows users to remote code execution attacks.

The emergency update comes just one week after the regularly scheduled Patch Tuesday and follows the discovery of a targeted zero-day attack, Microsoft said in an advisory.   The vulnerability is rated "critical" on Windows 2000, Windows XP and Windows Server 2003.

On Windows Vista and Windows Server 2008, the flaw carries an "important" rating.

From Microsoft's critical MS08-067 bulletin:

  • A remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft said it was aware of "limited, targeted attacks attempting to exploit the vulnerability" but the company did not provide any clues about the origin of the attacks or the target that was hit.    There are no signs yet of public proof-of-concept code.

According to the bulletin, there is a chance that the vulnerability could lead to a "wormable exploit."

  • The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.
  • Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

The vulnerable Windows Server service provides RPC support, file and print support, and named pipe sharing over the network. It is also used to allow the sharing of your local resources (such as disks and printers) so that other users on the network can access them.

This is the first out-of-cycle patch from Microsoft since the fix for the animated cursor vulnerability in April 2007.  It is the 67th bulletin from Redmond this year.

Topics: Operating Systems, Microsoft, Networking, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Patches

    Microsoft catch's a lot of slack but they do a good job of getting patches out there. I haven't had any problems with Windows update in a few years.
    • Patches? ... PATCHES??!??


      oh.. wait.. we're running Microsoft's Windows ... we DO need patches..

      ... carry on please..

      • At this time of year

        I see a lot of Patches. Particularly pumpkin patches!
        Three microsoft programmers walk into a bar. The bartender looks at the first programmer and then turns to the other two and says "Jesus, your buddy there has a hole where his left eye should be."; and the other two programmers reply in unison "that's OK we're working on a patch!"
    • You're lucky

      I have an XP machine that won't update unless IE is running. When I tell it to download updates, it just sits there forever, until I kick off IE, then the downloads run.

      Best I can figure, it's an undocumented feature...
  • RE: MS ships emergency patch for Windows worm hole

    What do I think? I think I'm glad I use a Mac.
    • Why would you think that? (NT)

      Loverock Davidson
    • Are you talking about the OS that lost the OWN2PWN contest?

      You do realise that OS X was the ONLY OS to get hacked right out of the box and it took less than 5 minutes to accomplish?

      Besides, Apple apologists say the same thing every time another 50+ mega patch comes out full of fixes for extremely critical remote code execution vulnerabilities: at least it was patched before Steve Jobs admitted to the exploits that are out there!

      When you combine the inherent insecurities in OS X (as proven by OWN2PWN) with the outrageously overpriced hardware you are locked into buying, I can honestly say I'm glad I use everything but a Mac and everytime I give Apple another shot by trying one in a store or I listen to my father talk about the endless crashes he gets, I feel stronger and stronger that I made the right decision. :)
      • Maybe you should get some facts on the

        pwn2own, it was not the OS that was breached and it was an application that caused the issue. And this app was vulnerable on both Linux and Windows.
        • Irrelevent. In the end the Mac was compromised first.

          OS X, Windows, and Linux. They're all vulnerable. For the OP to pretend this is unique to Windows is dishonest.
          • Only because he had a choice and he....

            wanted the Apple Computer not the Windows or Linux Systems.
          • Perhaps. But in the end it was OS X which fell first. (nt)

          • sorry, but you're wrong

            keep in mind, the laptop was the icing, the cash prize would have bought two Apple laptops or three/four Windows/Linux laptops.

            Apple fell to first party code, windows fell to third party code that would have brought down all three.
          • Since when did you ever think

            You could reason with a high and mighty elitist Mac Zealot? They work for the lefty propoganda machine you know. ;o)
          • OSX was hacked first because....

            ... the team that created the exploit wanted the Mac
            notebook. The exploit would have worked on Windows or
            Linux, but [b] they wanted the Mac[/b]. What kind of
            endorsement of the other OSes is it when the hackers prefer
            to own the Mac.

            (this was meant as a reply to ye)
          • Let's do this.....

            Let's add up the Windows exploits and then add up the Mac exploits and then add up the Linux exploits. Nuff said!
          • @todbran

            Lets do this instead, add up the total number of
            machines in use and poll their OS's. Hold on while I
            slip on my flame proof suit here, [zip]. Hm where is
            OS X now? Linux? Really who cares? We all know the
            only reason nobody even bothers writing hacks and
            exploits for Apple is because they want to actually
            affect a significant number of users. If the roles
            were reversed then we would be living in a world where
            Steve Jobs is a mega bazzilionaire and Bill Gates
            would be releasing an awesome new Zune and zPhone
            every couple of months, and we would all be getting harassed from marginalized, and annoyed because they
            are marginalized Windows users. But I guess trying to
            appeal to reason never really works.
          • Nice try!

            (Sorry, I screwed up my first post.)

            Wasn't the problem with a perl library that Apple had not bothered updating? Since perl doesn't ship with Windows there's no way that exploit would have worked on the Windows machine. And since the linux distro did have the updated perl library, it also wasn't vulnerable.
          • Buzzzt, sorry, you lose

            If anyone had managed to crack a system on day one, the cash prize would have been enough to buy 2 of each laptop.
          • can you say "load of crap"?

          • So...

            The entirety of your knowledge about computers comes from a decades old movie about hackers huh?

            'Hackers' as it were generally have no real skill, and use exploits and worms written by other people to weasel their way in to do stupid things. Crackers are generally more skilled and write the software hackers use. I'm sorry, but I'm not impressed by people who can't write a line of code, might know how a router works, and contribute nothing to computing as a whole.

            If you want the hackers, you can have them.