[Patrician]

Microsoft's urgent security update: What it means | News - Security - CNET News


Earlier today, Microsoft did something unusual. The company made an exception to its normal security processes and issued an "out-of-band" urgent update.

The update applied is classified as critical for Windows XP and older versions and is considered important for Windows Vista.

After speaking with Microsoft earlier today, I strongly suggest that users understand the importance of this update and begin emergency patching procedures immediately. While exploits around this Windows vulnerability have been limited thus far, Microsoft concedes that it could be exploited by old-school Internet-based worms a la 2004 and do massive amounts of damage. In addition to patching Windows systems, I also encourage users to install the latest security signatures from endpoint and network security vendors.

Microsoft's "out-of-band" reaction speaks to the seriousness of this threat, but I can't help but be impressed with the behind-the-scenes effort that led to this action. It is noteworthy to point out a few things:

1. Microsoft security researchers discovered this vulnerability themselves with the aid of some customer data. In other words, this vulnerability was not brought to Redmond's attention by a third-party researcher, Black Hat Web site "chatter," or a series of massive malicious exploits. This is a good proof point to those who still believe that Microsoft does not take security seriously.

2. In preparation for the urgent update, Microsoft has been sharing data and patches with other endpoint and network security vendors as part of a number of security partnering programs. This means that notification from Microsoft will likely be followed by new security signatures and support by leading security vendors.

3. It is worth mentioning that the vulnerability in Windows Vista is not as pronounced as older versions of Windows. To me, this speaks to the effectiveness of the Security Development Lifecycle (SDL) process. Lessons learned from this vulnerability will be integrated into future revisions of SDL as part of a constant improvement cycle.

Some will point fingers at Microsoft and claim that this "out-of-band" security bulletin is further proof that Microsoft remains an anathema to security. I don't share this view. Complex software will always contain vulnerabilities and bugs. The trick is to fix as many as you can during the development and testing process, continue security research once software is released, and respond to problems with professionalism, industry collaboration, and haste. In my view, Microsoft is doing a good job at following this model.

[Patrician]

To make it simple just go here:

http://www.microsoft.com/technet/sec.../MS08-067.mspx



and pick out your version of Windows and download the patch.

[Kym Robinson]

Thankyou for your vigilence Pat!

It is comforting to know you are looking out for us!
I have been having computer issues for days - consequently.......I ran ove to the link you provided and downloaded! It seems I have missed a few updates somehow but Im all good now!

Thanks again!
Kym

[Jeff Casmer]

Hi Pat,

Thanks for letting us know...

Take care
Jeff

[Cynthia Minnaar]

Hi Pat

Thanks for the heads-up on this.

Cheers for now
Cyn

[GT]

Yes, thanks, Pat!

Actually, one other time, not too long ago, when you gave us some warnings about our protection suites, etc., I made sure mine was up-to-date, so hopefully the issue in question here is covered in my computer. As far as I know, it's all good! Thanks again for your concern and vigilance.

GT

[Patrician]

NO this is brand new, discovered today (only took them 4 years) - the great thing is they actually discovered it themselves.

'out of band' means it is not even on automatic updates or critical updates - it is a one-off -

i am sure it will be covered in both of the above eventually - give them another few years. lol.

you should have your computer settings to allow automatic updates and this will protect you from most things usually.

[Doug Gorman]

Thanks Pat...fantastic heads up.

Doug

[Patrician]

Microsoft Bug: Patch Now, Patch Fast


By Stefanie Hoffman, ChannelWeb
3:11 PM EDT Fri. Oct. 24, 2008
If there's anything that Microsoft (NSDQ:MSFT) is telling its users, it's to patch their systems, and fast.

After Microsoft released an out-of-band update for a critical Windows vulnerability that allows hackers to execute a malicious Internet worm on users' computers, security experts are strongly recommending that users apply patches immediately.

Specifically, the remote execution vulnerability allows hackers to write worm code—malicious self-propagating code that doesn't require any user interaction—by crafting a special RPC request. A successful attack would enable the hacker to take complete control of a victim's computer, and ultimately steal sensitive financial information from their victims. In addition, once a user's system is affected, the malicious code has the ability to rapidly self-propagate and infect every other unpatched computer in the network.

The flaw, which affects almost every Windows operating system, is rated "critical" for many of the earlier versions of Windows, including Windows 2000, XP and Server 2003. However, the bug was given the less severe rating of "important" for Windows Vista and Server 2008.

Security experts maintain that the exploit code has actively been used in the wild, with exploits stemming from hackers who have already reverse-engineered the patch.

"The frightening thing to me is just how quickly the bad guys were able to turn out an exploit," said Paul Henry, security and forensic analyst at Lumension Security, Scottsdale, Ariz. "I really think that speaks volumes about the necessity to deploy your patches very quickly, and very widely."

Henry said that researchers detected malicious code designed to grab user credentials before encrypting them and sending them to a New Jersey-based server. Henry said that the malware has so far affected at least 3,600 users, but said that the number would likely increase significantly over the weekend.

Meanwhile, an advisory by San Diego-based Websense also alerted users that hackers have unleashed attacks by installing the Trojan Gimmiv. The alert noted that only 25 percent to 36 percent of antivirus vendors could detect the malicious exploit code.

In a blog posting, Microsoft security researcher Michael Howard contended that that the bug, which stems from a stack-based buffer overflow vulnerability, was difficult to detect due to its complexity.

"I'll be blunt; our fuzz tests did not catch this and they should have. So we are going back to our fuzzing algorithms and libraries to update them accordingly," he wrote. "In my opinion, hand reviewing this code and successfully finding this bug would require a great deal of skill and luck."

Howard said that in the last year he had noticed that many Windows bugs, like the recently detected Internet worm, fell into the category of "onesey-twosies"—that is, complex derivatives of existing vulnerabilities.
"First the good news; I think perhaps we have removed a good number of the low-hanging security vulnerabilities from many of our products, especially the newer code," he said. "The bad news is we'll continue to have vulnerabilities because you cannot train a developer to hunt for unique bugs, and creating tools to find such bugs is also hard to do without incurring an incredible volume of false positives."

Henry added that the severity of the flaw, emphasized by the out-of-band patch, underscores the need for enterprises to consider automated patch management technologies. "The big gotcha is, unless you have automated methodology enterprise wide, you could be caught up in this because you're not going to have enough time to patch your systems."

Microsoft Bug: Patch Now, Patch Fast - Security - IT Channel News by CRN and VARBusiness

[leb123z]

Hi Pat! Long time you no see me, but I'm still alive and kickin' I just popped on to read some posts and found this, so thank you very much for lookin' out for your PIPsters, as always! I'm glad I found your post!

Part of my not being here is my puter has needed some new memory - my pages were freezing up and it was taking me hours to open and close Windows. I thought I had a virus, but today......voila! I installed my own new GB of memory...what a concept...and now I'm so excited to write up a storm!! This could be my inspiration for a fresh article even!

Thanks!

Liane

[Patrician]

Hi Liane! I'm always glad when you pop back in and to know how you are doing!

Glad you got your 'puter up and running again!

[talfighel]

Hi Pat,

Thanks for letting us know about this.

Tal

[Alan Thomas]

Pat,

Thanks for the warning.

Alan