News

Off-Cycle Microsoft Patch Targets Worm-Like Windows Bug

Redmond on Thursday released a critical out-of-cycle security patch affecting Windows 2000, Windows XP and Windows Server 2003 systems.

Redmond on Thursday released a critical out-of-cycle security patch affecting Windows 2000, Windows XP and Windows Server 2003 systems.

The software giant said weaknesses in server service mechanisms within these OSes could allow for remote code execution (RCE) exploits through the use of a "specially crafted" remote procedure call (RPC) request.

RPC technology, first adopted by Microsoft in the mid-1980s, allows subroutine code to execute on other computers on a shared network. What's unique about this RPC vulnerability is that subroutines can be executed without programmer interference. It allows an almost automatic remote interaction between CPUs in a shared processing environment.

An attacker could exploit this vulnerability in the affected Windows OSes and run arbitrary code without authentication. Redmond is hastening an out-of-cycle patch because the vulnerability is reminiscent of self-replicating malware or a "wormable exploit," as Microsoft calls it.

"Based on the number of Windows systems that are potentially exposed to a massive attack, it was in Microsoft's best interest to just go ahead and patch it," said Jon Oltsik, an analyst at Milfort, Mass.-based IT research firm Enterprise Strategy Group. "This exploit that applies to this fix is not in the wild to a great degree but the thinking behind the bulletin was probably, 'why wait.'"

Security experts say that for users running newer versions of Windows, such as Vista and Windows Server 2008, the potential attack associated with this bulletin cannot be anonymous and must use authenticated user credentials to exploit the vulnerability. However, they do warn that this does not mean it's impossible to exploit the vulnerability in a newer Windows OS. It just won't be as easy.

Nevertheless, the common consensus among observers is that IT pros should install the patch now.

"In normal situations, administrators could typically test the patch against their production network to ensure the patch does not break functionality," said Jason Miller, security data team manager at St. Paul, Minn.-based Shavlik Technologies. "But in this situation, enterprise IT workers should patch this vulnerability immediately to their servers and workstations."

It's not often that Redmond issues off-cycle or out-of-band patches. It's done so just a handful of times since 2006. Coincidentally, 2006 was the year a similar patch pertaining to this issue was released. Thursday's patch replaces that September 2006 hotfix.

Because the fix is critical and will require a restart, security pros say IT managers and staff should collaborate to ensure seamless installation and testing. They recommend coordinating with desktop or end-point support personnel, as well as with network administrators and off-site consultants, where applicable.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Mastering Blazor Authentication and Authorization

    At the Visual Studio Live! @ Microsoft HQ developer conference set for August, Rockford Lhotka will explain the ins and outs of authentication across Blazor Server, WebAssembly, and .NET MAUI Hybrid apps, and show how to use identity and claims to customize application behavior through fine-grained authorization.

  • Linear Support Vector Regression from Scratch Using C# with Evolutionary Training

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the linear support vector regression (linear SVR) technique, where the goal is to predict a single numeric value. A linear SVR model uses an unusual error/loss function and cannot be trained using standard simple techniques, and so evolutionary optimization training is used.

  • Low-Code Report Says AI Will Enhance, Not Replace DIY Dev Tools

    Along with replacing software developers and possibly killing humanity, advanced AI is seen by many as a death knell for the do-it-yourself, low-code/no-code tooling industry, but a new report belies that notion.

  • Vibe Coding with Latest Visual Studio Preview

    Microsoft's latest Visual Studio preview facilitates "vibe coding," where developers mainly use GitHub Copilot AI to do all the programming in accordance with spoken or typed instructions.

  • Steve Sanderson Previews AI App Dev: Small Models, Agents and a Blazor Voice Assistant

    Blazor creator Steve Sanderson presented a keynote at the recent NDC London 2025 conference where he previewed the future of .NET application development with smaller AI models and autonomous agents, along with showcasing a new Blazor voice assistant project demonstrating cutting-edge functionality.

Subscribe on YouTube