As you might have noticed, Microsoft released this security bulletin, MS08-067, about an hour ago. It’s rated as Critical on all Windows-versions except Vista and 2008, and you should install this ASAP, at the very least on any machine that isn’t protected by a firewall.
While the vulnerability itself isn’t particularly interesting (it’s in the RPC code, and it appears to be similar to the bug that the Blaster worm used; for technical details look here), the speed with which the update was released is impressive. Christopher Budd provides some insight into how this issue was handled from discovery to the release of the security bulletin:
- The bug was discovered after Microsoft was researching attacks seen in the wild; that means this bug was actively exploited before Microsoft was first notified about it
- When analyzing it they found it might be exploited by a worm
- They then decided to release a patch as soon as possible, which was in about two weeks
That means the entire bug was found and fixed in at least four windows released (XP, 2003, 2008 and Vista), on multiple architectures, in about 14 days. If you compare this to, for example, Apple’s patch speed, I’d say that Microsoft is definitely improving it’s security response process.
Update 23-10: The first working exploit using this vulnerability was written in just two hours:
It took developers of the Immunity security testing tool two hours to write their exploit, after Microsoft released a patch for the issue Thursday morning.
Apparently, it doesn’t take much effort to write this type of attack code. “It is very exploitable,” said Immunity Security Researcher Bas Alberts. “It’s a very controllable stack overflow.”
Microsoft has made this chart detailing what operating systems are at risk and how serious the risks are for that particular OS: