Microsoft issues an out of cycle CRITICAL Windows Update

Wiz Feinberg · From: Mid-Michigan, USA

On Thursday, October 23, 2008, Microsoft released an "out of band" Windows Update, to fix a critical vulnerability that is being exploited in the wild. Updates are usually pushed out at 1 PM Pacific Time, for manual or automatic Windows Updates. Apparently, most versions of Windows, from 2000 up are affected, including server systems.

<strike>I'll update this post when I learn the exact details of this sudden update release.</strike> See my updates in the followup posts in this thread. This is a critical vulnerability being exploited now.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

Jim Eller · From: Kodak, TN (Michigan transplant)

Wiz,

Thanks again for helping the "computerly blind".

Jim

Wiz Feinberg · From: Mid-Michigan, USA

Microsoft Security Bulletin MS08-067 – Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Published: October 23, 2008

Version: 1.0

Executive Summary

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by correcting the way that the Server service handles RPC requests. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update immediately.

Known Issues. None
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

Jon Light (deceased) · From: Saugerties, NY

I downloaded & installed...8, I think?...update items on this Vista machine. Went to restart and it failed to start. It attempted to find & repair the startup problem and finally offered a system restore which I accepted and then started up ok. Needless to say I am no in a hurry to reinstall these Windows updates.

Jack Stoner · From: Kansas City, MO

I got one security update this afternoon for my Vista 64bit PC.

Wiz Feinberg · From: Mid-Michigan, USA

Yesterday, Microsoft released a security bulletin regarding a critical vulnerability in the Server Service, which allows an attacker to perform remote code execution by sending a specially-crafted RPC request on a target system. This vulnerability may be used by malicious users in crafting a wormable exploit, which may, should hackers design it so, render corporate networks clogged and virtually unusable. According to Microsoft, they released this security bulletin outside of their monthly release cycle to protect their customers from any attempted attacks related to this flaw.

Not long after the release, TrendLabs received reports of a zero-day exploit that takes advantage of this vulnerability. According to Trend Micro Advanced Threats Researcher Paul Ferguson, this exploit downloads a malicious file from a specific IP address. We now detect the downloaded file as TSPY_GIMMIV.A. Based on initial analysis, this spyware has routines that involves the checking of the registry for entries related to antivirus software, possibly in an attempt to avoid detection.

The span of time between the discovery of the exploits and reports of the vulnerability is much too narrow that researchers have reason to believe that the vulnerability was first known to the hackers. Hackers may have already been actively exploiting this bug days before Microsoft received wind of the vulnerability. Note that patch Tuesday was released just a little over a week ago. But kudos to Microsoft for delivering this immediate solution to prevent more users from becoming victims.

Trend Micro Smart Protection Network already blocks the malicious URL where this spyware is downloaded from. We highly recommend users to immediately update your computers and download the fix patch provided by Microsoft.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

John Cipriano · From: San Francisco

It's very important that people get the patches for the issues Wiz listed above. Usually when there's an out-of-band patch release from MS it's because people are already actively exploiting the big.

Anyway, this is a pretty big one.

Jon...if you can't get Windows updates going, try and get the patch by doing a web search for "958644". You will want the Vista version. Do what you can to get Windows Updates working again. Often, as in this case, the updates are released because there is an important security vulnerability that needs patching. I'd say the best thing here is to install the updates one by one until your machine doesn't start, and then just skip that particular one until you can figure out what the issue is.

Plus, when the patch is released, the vulnerability gets that much more press and it's more likely that people will start making worms around it, partly because they might be able to get some insight by disassembling the patch.

Dave Potter · From: Texas

Jon Light (deceased) · From: Saugerties, NY

Thanks, John. I realized after posting that the problem was of my own making, to an extent, and I have indeed installed this most recent patch. All the others were sitting, uninstalled, from 10-14. I haven't gotten the hang of my settings and notifications on this Vista machine. Several of these patches say they are important and I can't see any way around doing that one-at-a-time thing until I find the bad one. Or who knows, it might go trouble-free.

Jon Light (deceased) · From: Saugerties, NY

Well, I went in and did each of these older updates, one at a time, restarting windows each time and everything went fine.

So I hope everybody is sitting down because I have some alarming news------apparently occasionally windows will do some odd, erratic things!! I know, I know---it's hard to believe. I wish I had known. But I'm optimistic that it was a one time thing and that everything will go smoothly from now on. I mean--they wouldn't put something on the market unless it performed flawlessly, right?

John Cipriano · From: San Francisco

"Exploiting the bug" is what I should have said. I'll just leave it now rather than edit.

Jon...I am trying to remember when it has happened to me specifically but I have seen it where updates will try to install out of order, and one is required by the other, and the only way to remedy the situation is to install whatever update is causing the problem manually.

The description for the updates will have a link to a Microsoft KB article, which lists details about the update, like if it has prerequisites or if it replaces an earlier update. This information can be useful if you are having a problem with a particular update.

But in general what will happen if you get way behind is Windows will try install a while bunch of updates at once. If you are having problems installing say 10 or 20 updates, just do them one or two at a time.

It's unfortunate that your problem caused your machine to not start properly. Usually when there's a problem with the updates, they just don't finish installing and you get a message about it.

Wiz Feinberg · From: Mid-Michigan, USA

Security researchers have identified a new in-the-wild exploit of the MS08-067 out-of-band critical patch released by Microsoft, on October 23, 2008. The threat is a Worm, named GIMMIV.A, which drops three malware files into a particular Windows System directory. Once installed, these files will collect system information from the compromised computer, collect passwords from the Windows protected storage and Outlook Express passwords cache, and post collected details to a remote host.

You can read the technical details about the GIMMIV.A Worm here.

The patch for this buffer overflow vulnerability was pushed out on Thursday, October 23, just nine days after the regular October Windows Updates were released. This was the first time in a year and a half that Microsoft had to push out an "out-of-band" security patch and I urge you all to make sure it is installed in your Windows 2000, or newer computers.

This malware is capable of spreading to other computers on the same wired or wireless network as is the infected computer, thus it is deemed to be a Worm. This could be disastrous for business networks, if they don't have intrusion detection software installed, to detect threats inside the routed network. All it takes is one employee plugging in an infected laptop, or PIM, to let this password stealer loose on the entire network!

Patch your Windows computers NOW (via Windows Updates), especially if you have a network. More exploits are being written as I type this.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

Forum Index > Computers		Next oldest topic :: Next newest topic

All times are GMT - 8 Hours	Jump to: