The emergency update comes just one week after the regularly scheduled Patch Tuesday and follows the discovery of a targeted zero-day attack, Microsoft said in an advisory. The vulnerability is rated "critical" on Windows 2000, Windows XP and Windows Server 2003.
On Windows Vista and Windows Server 2008, the flaw carries an "important" rating.
From Microsoft's critical MS08-067 bulletin:
- A remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Microsoft said it was aware of "limited, targeted attacks attempting to exploit the vulnerability" but the company did not provide any clues about the origin of the attacks or the target that was hit. There are no signs yet of public proof-of-concept code.
According to the bulletin, there is a chance that the vulnerability could lead to a "wormable exploit."
The vulnerable Windows Server service provides RPC support, file and print support, and named pipe sharing over the network. It is also used to allow the sharing of your local resources (such as disks and printers) so that other users on the network can access them.
This is the first out-of-cycle patch from Microsoft since the fix for the animated cursor vulnerability in April 2007. It is the 67th bulletin from Redmond this year.