Microsoft Patches Vulnerability as Hackers Launch Attacks

Microsoft issues an out-of-cycle patch to fix a flaw being exploited by hackers. The vulnerability lies in the Server service and affects users of Microsoft Windows 2000, Windows XP, Windows Server 2003 and Windows Vista.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

With hackers at the door, Microsoft released a critical security fix for a remote code execution flaw in the Server service.

The vulnerability is caused by the Server service failing to properly handle specifically crafted RPC (remote procedure call) requests. The Server service provides RPC support, file and print support, and named pipe sharing over the network.

According to Microsoft, attackers have already begun limited, targeted attacks to exploit the vulnerability. If successful, an attacker could take control of a compromised system. In addition to the patch, Microsoft officials confirmed the attack can be blocked using the Windows firewall, which in an out-of-the-box scenario blocks the hacker from reaching the RPC interface.

"It is possible that this vulnerability could be used in the crafting of a wormable exploit," Microsoft warned in the bulletin. "Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter."

The issue affects users of Microsoft Windows 2000, Windows XP and Windows Vista, as well as Windows Server 2003 and Server 2008.

On Windows 2000, XP and Windows Server 2003, any anonymous user with access to the target network could deliver a specially crafted network packet to exploit the vulnerability. However, on Windows Vista and Windows Server 2008 systems, only an authenticated user with access to the target network can deliver the packet.

The release comes less than two weeks after Microsoft's monthly Patch Tuesday, which featured 11 security bulletins.

"In normal situations, administrators could typically test the patch against their production network to ensure the patch does not break any functionality," said Jason Miller, security data team manager at Shavlik Technologies. "But in this situation, administrators should patch this vulnerability immediately to their servers and workstations."