Emergency patch MS08-067

(thank you to Jason Miller for the information below)

Microsoft has released an “out of band” security bulletin, MS08-067.  Although Microsoft has not done this type of a release lately, this has been done before by Microsoft.  In “out of band” releases, Microsoft will abandon their monthly patch cycle to address critical issues that cannot wait for the normal cycle.  Microsoft has reported they have seen targeted attacks using this vulnerability in the wild.  A targeted attack is an attack aimed at a specific group or company from a specific group.  Since the release, our data research team has started seeing reports from security industry experts about viruses being found in the wild exploiting this vulnerability.

This bulletin affects all Microsoft Windows operating systems.  On earlier but the most widely used versions of Windows (2000, XP, 2003), an attack can anonymously breach a system with this exploit.  With this in mind, this vulnerability requires no user interaction to be exploited by an evil attacker.  Simply running Windows can make you vulnerable to this exploit.  For users running newer versions of Windows (Vista, 2008), the attack cannot be anonymous and must use authenticated user credentials to exploit the vulnerability.  This does not mean it is not possible to exploit the vulnerability; this means it will not be as easy as exploiting an earlier version of Windows, but it should be patched anyway.

So, why is everyone making such uproar over this bulletin?  This could lead to next big virus, and given that we are aware of the need to install the patch we do not have an excuse to not do so, and to do so right away.  Get it done before the weekend, then maybe do a few scans to make sure its installed.