Off-Cycle Patch Targets Worm-like Windows Bug

Redmond on Thursday released a critical out-of-cycle security patch affecting Windows 2000, Windows XP and Windows Server 2003 systems.

The software giant said weaknesses in server service mechanisms within these OSes could allow for remote code execution (RCE) exploits through the use of a "specially crafted" remote procedure call (RPC) request.

RPC technology, first adopted by Microsoft in the mid-1980s, allows subroutine code to execute on other computers on a shared network. What's unique about this RPC vulnerability is that subroutines can be executed without programmer interference. It allows an almost automatic remote interaction between CPUs in a shared processing environment.

An attacker could exploit this vulnerability in the affected Windows OSes and run arbitrary code without authentication. Redmond is hastening an out-of-cycle patch because the vulnerability is reminiscent of self-replicating malware or a "wormable exploit," as Microsoft calls it.

"Based on the number of Windows systems that are potentially exposed to a massive attack, it was in Microsoft's best interest to just go ahead and patch it," said Jon Oltsik, an analyst at Milfort, Mass.-based IT research firm Enterprise Strategy Group. "This exploit that applies to this fix is not in the wild to a great degree but the thinking behind the bulletin was probably, 'why wait.'"

Security experts say that for users running newer versions of Windows, such as Vista and Windows Server 2008, the potential attack associated with this bulletin cannot be anonymous and must use authenticated user credentials to exploit the vulnerability. However, they do warn that this does not mean it's impossible to exploit the vulnerability in a newer Windows OS. It just won't be as easy.

Nevertheless, the common consensus among observers is that IT pros should install the patch now.

"In normal situations, administrators could typically test the patch against their production network to ensure the patch does not break functionality," said Jason Miller, security data team manager at St. Paul, Minn.-based Shavlik Technologies. "But in this situation, enterprise IT workers should patch this vulnerability immediately to their servers and workstations."

It's not often that Redmond issues off-cycle or out-of-band patches. It's done so just a handful of times since 2006. Coincidentally, 2006 was the year a similar patch pertaining to this issue was released. Thursday's patch replaces that September 2006 hotfix.

Because the fix is critical and will require a restart, security pros say IT managers and staff should collaborate to ensure seamless installation and testing. They recommend coordinating with desktop or end-point support personnel, as well as with network administrators and off-site consultants, where applicable.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • person signing a bill at a desk with a faint glow around the document. A tablet and laptop are subtly visible in the background, with soft colors and minimal digital elements

    California Governor Signs AI Content Safeguards into Law

    California Governor Gavin Newsom has officially signed off on a series of landmark artificial intelligence bills, signaling the state’s latest efforts to regulate the burgeoning technology, particularly in response to the misuse of sexually explicit deepfakes. The legislation is aimed at mitigating the risks posed by AI-generated content, as concerns grow over the technology's potential to manipulate images, videos, and voices in ways that could cause significant harm.

  • close-up illustration of a hand signing a legislative document

    California Passes AI Safety Legislation, Awaits Governor's Signature

    California lawmakers have overwhelmingly approved a bill that would impose new restrictions on AI technologies, potentially setting a national precedent for regulating the rapidly evolving field. The legislation, known as S.B. 1047, now heads to Governor Gavin Newsom's desk. He has until the end of September to decide whether to sign it into law.

  • illustration of a VPN network with interconnected nodes and lines forming a minimalist network structure

    Report: Increasing Number of Vulnerabilities in OpenVPN

    OpenVPN, a popular open source virtual private network (VPN) system integrated into millions of routers, firmware, PCs, mobile devices and other smart devices, is leaving users open to a growing list of threats, according to a new report from Microsoft.

  • interconnected cubes and circles arranged in a grid-like structure

    Hugging Face Gradio 5 Offers AI-Powered App Creation and Enhanced Security

    Hugging Face has released version 5 of its Gradio open source platform for building machine learning (ML) applications. The update introduces a suite of features focused on expanding access to AI, including a novel AI-powered app creation tool, enhanced web development capabilities, and bolstered security measures.