Microsoft releases emergency patch to plug security loophole in Windows

25 Oct 2008

Microsoft said late Wednesday that it plans to break out of its monthly patch cycle to issue a security update today for a critical vulnerability in all supported versions of Windows. Accordingly, on Thursday, an emergency patch was released. Users can obtain the fix via the Microsoft Update or Windows Update components, or through the company's direct download site.
 
Microsoft headquarters at Redmond rarely releases security patches outside of Patch Tuesday, the second Tuesday of each month. The software giant isn't providing many details yet, but the few times it has departed from its Patch Tuesday cycle has always been to stop the bleeding on a serious security hole that criminals had been using to break into Windows PCs on a large scale.

Microsoft's advanced notification bulletin says the problem is critical on Windows 2000, Windows XP and Windows Server 2003, meaning this is a vulnerability that can be exploited through little or no help from the user. On Windows Vista and Windows Server 2008 machines, it is labeled as ''important.''

The flaw lies in the Windows Server service, used to connect different network resources such as file and print servers over a network. By sending malicious messages to a Windows machine that uses Windows Server, an attacker could take control of the computer, Microsoft said.

However, Microsoft's acknowledgement of the issue has created a problem of a different sort. The vulnerability was not publicly known before Thursday; however, by issuing its patch, Microsoft has given hackers and security researchers enough information to develop their own attack code. Therefore, if a Microsoft user does not install the patch on his machine, he is at a greater risk than ever before.

Microsoft has spent millions of dollars trying to eliminate this type of flaw from its products in recent years. And one of the architects of Microsoft's security testing program had a frank assessment of the situation Thursday, saying that the company's "fuzzing" testing tools should have discovered the issue earlier.

"Our fuzz tests did not catch this and they should have," wrote Security Program Manager Michael Howard in a blog posting. "So we are going back to our fuzzing algorithms and libraries to update them accordingly. For what it's worth, we constantly update our fuzz testing heuristics and rules, so this bug is not unique."