Microsoft has released the "out of cycle"
critical server security patch it
promised yesterday.
Critical patch MS08-067 resolves a vulnerability in the Server
service that affects all currently supported versions of
Windows.
The patch for Windows XP and older versions is rated as
"critical", whilst the version for Windows Vista and newer versions
is rated as "important".
"Because the vulnerability is potentially wormable on those
older versions of Windows, we’re encouraging customers to test and
deploy the update as soon as possible," said Microsoft.
Microsoft said, "We discovered this vulnerability as part of our
research into a limited series of targeted malware attacks against
Windows XP systems, that we discovered about two weeks ago through
our ongoing monitoring.
"As we investigated these attacks we found they were utilising a
new vulnerability and initiated our Software Security Incident
Response Process (SSIRP). As we analysed the vulnerability in our
SSRP process, we found that this vulnerability was potentially
wormable on Windows XP and older systems."
The patch has been issued after the main batch of regular
monthly patches released earlier this month.
Microsoft said, "Our analysis showed that it would be possible
to address this vulnerability in a way that would enable us to
develop an update of appropriate quality for broad distribution
quickly. We felt that it was in the best interest of customers for
us to release this update before the regular November release
cycle."
One blue chip, preparing to patch company machines over the
weekend, reported that it had also emailed all staff asking them to
ensure their home and personal computers were also as secured
against vulnerabilities. The email said:
"It would also be a good move for you to check your home
machines to see if you have the latest Microsoft updates: you can
do this by following the link to Microsoft’s website:
http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=en-us"
More on the security update:
http://blogs.technet.com/msrc/default.aspx
http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx