Microsoft Sends Windows to the Emergency Room

[Editor's note: Except for Microsoft earnings, posts will be shorter today, as I struggle to push back the flu.]

Today would be a good day to fire up those patch management servers, particularly for enterprises running older Microsoft operating systems. That's most of you, right? Microsoft has got an important security update no one should delay applying.

GOT A TIP OR RUMOR?

According to today's security bulletin, MS08-67:

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008.

Microsoft identifies 16 affected Windows versions, including service packs. Reminder: Microsoft only lists service packs that are currently supported. So, the number of actually affected Windows versions is much larger. That said, enterprises should be running newer, or the newest, supported service packs anyway.

The security exploit is "critical" for Windows 2000, XP and Server 2003 versions but only "important" for Windows Vista and 2008. "Windows Server 2008 server core installation affected," according to the security bulletin. The newer Windows versions are susceptible to compromise when the firewall is turned off or turned on with printer sharing enabled.

Microsoft will have a nice update present for Professional Developer Conference attendees. Participants are expected to receive Windows 7 Pre-Beta next week. According to the security bulletin:

This vulnerability was reported after the release of Windows 7 Pre-Beta. Customers running Windows 7 Pre-Beta are encouraged to download and apply the update to their systems. On Windows 7 Pre-Beta systems, the vulnerable code path is only accessible to authenticated users. This vulnerability is not liable to be triggered if the attacker is not authenticated, and therefore would be rated Important.

I don't mean to be critical. Microsoft deserves praise for this out-of-band security update that addresses a potential zero-date threat. I'd like to see the company even more seriously treat zero-day exploits.

Why did this exploit get A-1 treatment? Because it's wormable. Microsoft's Christopher Budd explains in a blog post:

We discovered this vulnerability as part of our research into a limited series of targeted malware attacks against Windows XP systems that we discovered about two weeks ago through our ongoing monitoring. As we investigated these attacks we found they were utilizing a new vulnerability and initiated our Software Security Incident Response Process (SSIRP). As we analyzed the vulnerability in our SSRP process, we found that this vulnerability was potentially wormable on Windows XP and older systems.

Those Microsoft security folks shutter at worms. Oh, they remember that nasty SQL server worm from years back. Worms. Yeah, yeah, buy Windows a flea collar.

There is a security Webcast at 4 p.m. EDT today, but I won't be attending. Microsoft announces fiscal 2009 first-quarter earnings around the same time.

[Please send your tips or rumors to watchtips at live.com].