Microsoft to issue emergency fix on Thursday

Share this article:
Updated on Thursday, Oct. 23 at 11:01 a.m. EST

Microsoft is pushing out a rush fix on Thursday for an apparently major Windows vulnerability, the company said late Wednesday.

This is the first time Microsoft has issued an out-of-cycle bug fix in about 1 1/2 years. The bulletin, rated critical, is expected to be released at 1 p.m. EST, Christopher Budd, security program manager at Microsoft said in a blog post.

According to the advance notification, the patch has a critical severity rating for Windows 2000, XP and Server 2003 and an important rating for Vista and Server 2008. The notice does not state what specifically is vulnerable.

Researcher Aviv Raff, though, said he thinks the patch is related to a "token kidnapping" vulnerability that Microsoft disclosed in a bulletin in April and revised earlier this month to recognize the release of public exploit code.

Here is how Microsoft described the threat:

"Specially crafted code running in the context of the NetworkService or LocalService accounts may gain access to resources in processes that are also running as NetworkService or LocalService," the company said. "Some of these processes may have the ability to elevate their privileges to LocalSystem, allowing any NetworkService or LocalService processes to elevate their privileges to LocalSystem as well."

Beginning Oct. 7, Cesar Cerrudo, founder and CEO of Argeniss, an Argentina-based security consultancy, posted exploit code on two occasions.

Microsoft has not released an out-of-cycle patch since April 2007, when the software giant delivered one for numerous vulnerabilities in Graphics Device Interface. That fix resolved an issue in the way Windows handled ANI files.

Microsoft normally releases patches on the second Tuesday of each month.

A vulnerability with a critical rating means remote code can be executed to compromise a machine.

"It probably [is] something critical with possible mass exploitation," Raff told SCMagazineUS.com via instant messenger, referring to Thursday's expected fix.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.