Network Security, Patch/Configuration Management, Vulnerability Management

Microsoft serves up out-of-cycle patch for Windows bug

Microsoft on Thursday shipped an emergency fix for a previously unknown Windows vulnerability that has the potential of turning into a worm.

The flaw exists in Windows Server and could allow unauthenticated remote attackers to send "bad packets" over a network to vulnerable Windows 2000, XP and Server 2003 systems, said Andrew Storms, director of security operations at nCircle.

Vista and Server 2008 systems are also vulnerable to attack but would require an authenticated user -- thus the bug is not wormable on those platforms, Storms said.

According to Microsoft's bulletin, an attacker could execute the remote code by sending a specially crafted Remote Procedure Call (RPC) request, in which one computer talks to another.

About two weeks ago, Microsoft began noticing targeted attacks taking advantage of the vulnerability, Christopher Budd, security program manager at Microsoft said in a blog post. However, no proof-of-concept code had been publicly released.

"As we analyzed the vulnerability in our Software Security Incident Response Process (SSIRP), we found that this vulnerability was potentially wormable on Windows XP and older systems," Budd wrote. "Our analysis also showed that it would be possible to address this vulnerability in a way that would enable us to develop an update of appropriate quality for broad distribution quickly."

Ziv Mador of the Microsoft Malware Protection Center said Thursday in another blog post that the exploit attempts to install a trojan named n2.exe, for which there are two variants.

"Basically if file sharing is enabled and the security update is not installed yet, the computer is vulnerable," Mador wrote.

Storms said Microsoft -- which typically ships patches on the second Tuesday of each month -- decided to release the rare, out-of-cycle fix because the bug did not require authentication and because it was determined to be "consistently" exploitable on older Windows versions.

"While they had the chance, they stepped in before it could be potentially something worse," Storms said.

Businesses immediately should deploy the patch, but they should also ensure they are running properly configured firewalls with appropriate policy settings, which typically help stop server-side exploits, he added.

Microsoft last released an out-of-band bulletin in April 2007 to correct potentially devastating flaws in the way Windows handles ANI files. In 2006, Microsoft issued an earlier-than-scheduled fix for a Windows Metafile (WMF) flaw.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.