In a post on the Microsoft Security Response Center blog, the company stresses the importance of the patch, but downplays media reports of a new worm and talk of exploits targeting a vulnerability in the Server service that was patched last week. According to Microsoft, the malware in question is a Trojan and was uncovered by the company during its initial investigation weeks ago.
Microsoft is downplaying reports of malware exploiting the critical security hole it patched last week.
On Oct. 23, the company released an emergency out-of-band patch for a vulnerability affecting the Server service
According to Microsoft, if the service receives a specially crafted RPC
(remote procedure call) request, an attacker could exploit the
vulnerability to run arbitrary code.
When Microsoft released the patch, it noted that there were limited
attacks being launched by hackers to get users to install a
data-stealing Trojan known as TrojanSpy:Win32/Gimmiv.A. This Trojan in
turn drops another DLL detected as TrojanSpy:Win32/Gimmiv.A.dll.
While some media reports have called this a new worm, officials at
Microsoft said the malware was uncovered during the company's
investigative process a few weeks ago and is a Trojan, not a
self-replicating worm. The company still recommends, however, that
users move quickly to deploy the patch.
"While deployments of the updates are happening quickly and
relatively smoothly, and the threat environment hasn't changed
significantly since Thursday, we don't want customers to take that as a
sign to decrease their pace of, or even delay, deployments for this
update," said a post made Oct. 26 on the MSRC (Microsoft Security
Response Center) blog. "This is a critical vulnerability that is being
actively attacked, though so far in a limited, targeted fashion. Those
were the reasons we released this out-of-band and it is because of this
that we continue to urge customers to aggressively test and deploy this
update as soon as possible."
There are a few workarounds for the vulnerability as well. The
Windows firewall can also defend against the vulnerability in a default
setting. Also, disabling the Computer Browser and Server service on
affected systems will prevent remote attacks, according to Microsoft's
The out-of-band patch was a rarity for Microsoft. Typically, the
company reserves security fixes for the second Tuesday of the month,
popularly known as "Patch Tuesday." The attacks, however, forced the
company's hand. In addition, proof-of-concept exploit code has been
circulating the Web and is available on Milw0rm.
"In terms of the overall threat environment, we've not seen any
major changes so far," the MSRC blog said. "We are aware that people
are working to develop reliable public exploit code for the
vulnerability. We are aware of discussion about code posted on a public
site, but our analysis has shown that code always results in a denial
of service, to demonstrate the vulnerability. So far, we've not seen
evidence of public, reliable exploit code showing code execution."