Microsoft issued an emergency patch to repair a critical Windows server service vulnerability that leaves Windows systems dangerously open to attack. The software maker also said it had to act quickly because it was aware of targeted attacks affecting Windows users.
This fix marks the fourth time that Microsoft has released a security patch outside of its monthly cycle. In its bulletin, Microsoft said the flaw could be exploited by an attacker without authentication to run arbitrary code. The attacker would have to send a malicious remote procedure call (RPC) request, which could result in taking complete control of a system. The flaw is rated critical on Windows 2000, XP, and Windows Server 2003 and is given an important rating on Windows Vista and Windows Server 2008.
"It is possible that this vulnerability could be used in the crafting of a wormable exploit," Microsoft said in its MS08-067 bulletin. "Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter."
The vulnerability was discovered as part of Microsoft's investigation into a series of targeted malware attacks against Windows XP systems. Targeted attacks have been ongoing for about two weeks, said Christopher Budd, security program manager in the Microsoft Security Response Center.
Security experts said the flaw is probably contained within the Server Message Block protocol, an area that handles file sharing, printer sharing and remote administration.
"It's a very basic networking component of all versions of Windows server," said Amichai Shulman founder of database security vendor Imperva Inc.
Jason Miller, security data team manager at Shavlik Technologies LLC, called the flaw extremely dangerous and said a worm created to exploit the hole could do a lot of damage on corporate networks.
"This one is pretty nasty; this vulnerability can be exploited anonymously, meaning you can just target the system, send it something and you're in you've got full access to that system," Miller said. "The scary part is if somebody knows how to [exploit] it, it's only a matter of time before that information gets leaked."
In an email message, Ben Greenbaum, senior research manager for Symantec Security Response, said the good news is that Vista and later operating systems are very difficult to exploit since most systems won't have affected ports exposed to the Internet.
"That being said, all it takes is one client-side exploit or Trojan that includes this exploit as a payload to get such a worm into a corporate network, where the affected ports are typically exposed to other internal computers," Greenbaum said.
Since it's technically a file sharing vulnerability, an attacker would need to build a worm capable of scanning ports for machines with file sharing enabled, said Wolfgang Kandek, chief technology officer of Qualys Inc.
"It's complicated from a technical perspective but somebody in the business would find it relatively easy to do," Kandek said. "There's really the potential for something quite nasty to happen if you think about partnering this vulnerability with another one."
Shavlik's Miller said a workaround involves disabling the Windows server service, which could cause major problems for a lot of systems. Instead, rolling out a patch should be a lot easier, he said.
"Typically in a cycle for patches you would want to test the patch to see if it breaks any applications, but something like this you're going to have to deploy it," Miller said. "You've got to shoot from the hip and be a cowboy."
The last time Microsoft released a patch out of its normal cycle was in April 2007 when it patched the Windows ANI curser handling flaw. At the time, Microsoft was tracking limited attacks against the flaw allowing an attacker to run malicious commands on a victim's machine.