Microsoft released on Thursday an emergency update for a major security flaw that could be used to automatically spread malicious code to systems running Windows XP and earlier versions of the company's operating system.
The vulnerability, caused by the flawed processing of remote procedure call (RPC) requests by the Windows Server service, is already being used by online attackers to compromise vulnerable systems, Microsoft said in its advisory. Windows XP, Windows 2000 and Windows 2003 systems could be compromised remotely, if the systems do not have a personal firewall installed and working or if file and printer sharing is activated. Windows Vista and Windows Server 2008 systems are not as vulnerable to exploitation of the issue, as the attacker would first have to authenticate to access the vulnerable code, Microsoft stated.
Microsoft issued stern warnings about the issue, urging customers to patch.
"Because the vulnerability is potentially wormable on those older versions of Windows, we're encouraging customers to test and deploy the update as soon as possible," Christopher Budd, a security program manager for Microsoft, said in a post on the Microsoft Security Response Center blog.
The Windows Server service handles networking requests for all versions of Microsoft operating system.
In the past five years, Microsoft has done a credible job in eliminating the easiest-to-exploit vulnerabilities through its Secure Development Lifecycle and renewed focus on security in its Windows operating system and major applications. In addition, cybercriminals change in focus to profit generation and greater law enforcement success in prosecuting cybercrime has resulted in fewer blatant epidemics and more subtle botnet-building attacks.
In 2004, the Sasser worm spread amongst Windows computer, while the Witty worm infected security appliances and gateway servers running software from network security firm Internet Security Systems. In 2005, a few different worms -- including the Zotob worm -- attempted to create botnets using a flaw in the Plug-and-Play functionality of Microsoft Windows. The authors of both Zotob and Sasser were arrested and convicted.
For the latest flaw, Microsoft mobilized its security researchers as it has seldom done in the past to explain the vulnerability and the company's discovery, investigation and mitigation of the issue. In three separate blog posts, Microsoft gave additional details of the vulnerability, offered guidance to companies to ascertain their risk from the flaw, and explained why the company's Secure Development Lifecycle did not catch the issue.
"We discovered this vulnerability as part of our research into a limited series of targeted malware attacks against Windows XP systems that we discovered about two weeks ago through our ongoing monitoring," Microsoft's Budd said in his blog post. "As we investigated these attacks we found they were utilizing a new vulnerability."
Microsoft had issued an advanced notification of the patch on Wednesday.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos