Microsoft Issues Emergency Security Patch

Microsoft has made an exception to its normal security processes and has issued an “out-of-band” urgent update. The update applied is classified as critical for Windows XP and older versions and is considered important for Windows Vista.

From InformationWeek:

In a post to the Microsoft Security Response Center blog on Wednesday evening, Christopher Budd, an MSRC security program manager, wrote, “I wanted to let you know that we’ve just posted an Advance Notification for an out-of-band bulletin release. We plan to release one Windows security bulletin with a maximum severity of Critical; scheduled for a target time of 10 a.m. PT on Thursday Oct. 23, 2008. A restart will be required.”

From the New York Times:

One day after Microsoft issued a rare emergency Windows security patch, the bad guys have a few new ways to take advantage of the bug.

By Friday, security researchers had identified a new worm, called Gimmiv, which exploited the vulnerability, and a hacker had posted an early sample of code that could be used to exploit the flaw on the Web.

Microsoft issued the patch more than two weeks ahead of its next security updates because the bug could be used to create an Internet worm attack and Microsoft had already seen a small number of attacks that exploited the flaw.

This vulnerability lies in the Windows Server service used to connect with other devices on networks. Although the firewall software that ships with Windows will block the worm from spreading, security experts are worried that the flaw could be used to spread infections between machines on a local area network, which are not typically protected by firewalls.

From CNET:

Microsoft’s “out-of-band” reaction speaks to the seriousness of this threat, but I can’t help but be impressed with the behind-the-scenes effort that led to this action. It is noteworthy to point out a few things:

1. Microsoft security researchers discovered this vulnerability themselves with the aid of some customer data. In other words, this vulnerability was not brought to Redmond’s attention by a third-party researcher, Black Hat Web site “chatter,” or a series of massive malicious exploits. This is a good proof point to those who still believe that Microsoft does not take security seriously.

2. In preparation for the urgent update, Microsoft has been sharing data and patches with other endpoint and network security vendors as part of a number of security partnering programs. This means that notification from Microsoft will likely be followed by new security signatures and support by leading security vendors.

3. It is worth mentioning that the vulnerability in Windows Vista is not as pronounced as older versions of Windows. To me, this speaks to the effectiveness of the Security Development Lifecycle (SDL) process. Lessons learned from this vulnerability will be integrated into future revisions of SDL as part of a constant improvement cycle.

Some will point fingers at Microsoft and claim that this “out-of-band” security bulletin is further proof that Microsoft remains an anathema to security. I don’t share this view. Complex software will always contain vulnerabilities and bugs. The trick is to fix as many as you can during the development and testing process, continue security research once software is released, and respond to problems with professionalism, industry collaboration, and haste. In my view, Microsoft is doing a good job at following this model.

Explore posts in the same categories: Uncategorized

Tags: , , , , , , , , , , , ,

You can comment below, or link to this permanent URL from your own site.

One Comment on “Microsoft Issues Emergency Security Patch”

  1. Stop Smoking Says:

    thanks for the heads up!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: