Share
When Microsoft released an out-of-cycle patch, one of the standout inclusions was the recent Pre-Beta release of their new operating system Windows 7. The highly anticipated OS, which also comes as a source of debate for Vista fans, is affected by the same remote code execution vulnerability that affects all the other production platforms.
Microsoft releases details about out-of-cycle patch.(IMG:J.Anderson)
Earlier this afternoon, Microsoft released MS08-067, which is an out-of-cycle security patch that should be added to this month’s security patch cycle for both IT departments and home users.
The patch centers on a vulnerability in the Server service, which is enabled by default on Windows 2000, Windows XP (all versions), and Windows Server 2003. The vulnerability is triggered if the system receives a malicious RPC request.
Microsoft rushed to release this patch because of the off chance that this vulnerability could be used in the creation of a new worm variant. Other factors led to the rare patch release as well, including the fact that on Windows 2000, XP, and Server 2003 an attacker would need no prior authentication after triggering the malicious RPC request to run code on the targeted system.
In the FAQ for the new security bulletin, Microsoft warned that Windows 7 is vulnerable. However, like Windows Vista, from which Windows 7 gets most of its core code, the impact of the vulnerability would only earn a rating of Important. Windows Server 2008, related to both Vista and Windows 7, likewise is impacted, but only lists as important in the patch index.
“Yes. This vulnerability was reported after the release of Windows 7 Pre-Beta. Customers running Windows 7 Pre-Beta are encouraged to download and apply the update to their systems. On Windows 7 Pre-Beta systems, the vulnerable code path is only accessible to authenticated users. This vulnerability is not liable to be triggered if the attacker is not authenticated, and therefore would be rated Important,” Microsoft said.
Using the new Exploitability Index (EI), this new patch is listed as a Level 1 threat. Microsoft commented that, “Consistent exploit code has been discovered in limited, targeted attacks, affecting Windows XP and Windows Server 2003. While this service is enabled by default on all affected platforms, exploitation is most likely on Microsoft Windows 2000, Windows XP, and Windows Server 2003.”
“Default installations of Windows Vista and Windows Server 2008 require authentication due to protections introduced as part of UAC that enforce additional levels of integrity. This protection is in place even if the UAC prompt is disabled. Even after authentication, ASLR and DEP enhancements will present obstacles to exploitation,” the company added in their EI notes.
The last time Microsoft went out-of-cycle to address a critical security issue, was in April of 2007. At the time, Microsoft was fighting a rash of targeted exploits in their operating system and Office product. The out-of-cycle patch addressed issues in the way Windows processes .ani animated cursor files. The .ani exploit was quickly moving about online, and being exploited heavily.
While it is still in Pre-Beta, Windows 7 is gaining critical attention. Some call it the new XP, which shunts Vista to the level of popularity earned by the ill-fated Windows ME. Early reports centering on Windows 7 list several improvements, including faster boot times and User Interface enhancements.
Yet, early Windows 7 gripes list the move to Windows Live services, instead of built in Email, Image, and Video applications, as early focal points.
Microsoft will push the newest update to everyone via Windows Update, and Microsoft Update before the day is out. Business users should have it in WSUS by days end as well.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story