Microsoft is downplaying reports of malware exploiting the critical security hole it patched last week.
On Oct. 23, the company released an emergency out-of-band patch for a vulnerability affecting the Server service. According to Microsoft, if the service receives a specially crafted RPC (remote procedure call) request, an attacker could exploit the vulnerability to run arbitrary code.
When Microsoft released the patch, it noted that there were limited attacks being launched by hackers to get users to install a data-stealing Trojan known as TrojanSpy:Win32/Gimmiv.A. This Trojan in turn drops another DLL detected as TrojanSpy:Win32/Gimmiv.A.dll.
While some media reports have called this a new worm, officials at Microsoft said the malware was uncovered during the company’s investigative process a few weeks ago and is a Trojan, not a self-replicating worm. The company still recommends, however, that users move quickly to deploy the patch.
“While deployments of the updates are happening quickly and relatively smoothly, and the threat environment hasn’t changed significantly since Thursday, we don’t want customers to take that as a sign to decrease their pace of, or even delay, deployments for this update,” said a post made Oct. 26 on the MSRC (Microsoft Security Response Center) blog. “This is a critical vulnerability that is being actively attacked, though so far in a limited, targeted fashion. Those were the reasons we released this out-of-band and it is because of this that we continue to urge customers to aggressively test and deploy this update as soon as possible.”
There are a few workarounds for the vulnerability as well. The Windows firewall can also defend against the vulnerability in a default setting. Also, disabling the Computer Browser and Server service on affected systems will prevent remote attacks, according to Microsoft’s advisory.
The out-of-band patch was a rarity for Microsoft. Typically, the company reserves security fixes for the second Tuesday of the month, popularly known as “Patch Tuesday.” The attacks, however, forced the company’s hand. In addition, proof-of-concept exploit code has been circulating the Web and is available on Milw0rm.
“In terms of the overall threat environment, we’ve not seen any major changes so far,” the MSRC blog said. “We are aware that people are working to develop reliable public exploit code for the vulnerability. We are aware of discussion about code posted on a public site, but our analysis has shown that code always results in a denial of service, to demonstrate the vulnerability. So far, we’ve not seen evidence of public, reliable exploit code showing code execution.”