A scary security flaw that would allow malicious worms to infect one PC and then automatically jump to others prompted Microsoft to release a rare out-of-cycle patch in October. The glitch is critical for both 32-bit and 64-bit versions of Windows XP and Windows Server 2003, and for Windows Server 2000. Microsoft says that targeted attacks exploited the hole prior to the patch’s release, and that “detailed exploit code” is currently available online.
This marks the first time since April 2007 that Microsoft has released a fix outside of its normal Patch Tuesday cycle; it wa s sparked by lessons learned from worm epidemics like Blaster and Slammer, which cost users billions of dollars to disinfect in 2003.
Though the new hole is a huge risk, protections put in place since the worms surfaced make another epidemic far less likely. Most important is Windows XP’s default-on Windows Firewall: A worm crafted to attack the new flaw would have to establish an external connection, which firewalls usually block. If a PC has no firewall, however, or if it is set up to permit file sharing and an attack comes from an infected PC on the same network, the conquering worm could take over the targeted PC. Business networks, which typically have many PCs configured for file sharing, are thus at high risk.
Windows Vista and Windows Server 2008 have mitigating factors that reduce the risk from “critical” to “important,” as rated by Microsoft. The company distributed the fix via Automatic Updates, but alternatively you can download it from Microsoft’s Bulletin MS08-067 page. That page also provides further information on the situation.
IE Fixes, Too
On its regular Patch Tuesday schedule, Microsoft supplied fixes for six bad holes in Internet Explorer, underscoring the need to upgrade to IE 7 as soon as possible.
The wide-ranging flaws affect IE 5, 6, and 7 on Windows 2000, XP, Vista, Server 2003, and Server 2008, but they’re most serious if you use an older version of IE on Windows XP or 2000. In those cases, an attack could run any command and have its way with your PC. If you’ve upgraded to IE 7, the flaws permit miscreants to steal user names or other cookie-based data, but nothing more.
Two of the bugs rated as most dangerous in Microsoft’s new “exploitability index assessment,” which gauges how likely an attack is against a given vulnerability. Get the fixes through Automatic Updates, or download the patch (and read more info on the new exploitability ratings) from Microsoft TechNet.
Once again, security software has created an insecurity. If an F-Secure’s program–ranging from Internet Security 2008 to Anti-Virus 2008 to Home Server Security 2009, in versions dating to 2006–scans a poisoned compressed file, your PC could be compromised. F-Secure says that no attacks have occurred, but if you use any of these versions, make sure that it has picked up the latest program updates (which should happen automatically).