Microsoft Releases Emergency Critical Patch
The critical update is one of a handful of out-of-band patches released in the past few years, experts say. Microsoft issues regularly scheduled updates on the second Tuesday of every month, which has become known in IT security circles as "Patch Tuesday."
The fact that Microsoft has released what is known as an "out-of-band" patch indicates that the vulnerability is pretty severe, experts say.
"They are not afraid to go out of band if this is something extremely important. This is something that couldn't wait," said Jason Miller, security and data team manager for Shavlik Technologies.
The vulnerability, which affects almost every Windows operating system, is rated critical for multiple versions of Windows 2000, XP and Server 2003, but is given the less severe rating of "important" for Vista and Server 2008.
The error, if left unpatched, allows remote attackers to infiltrate systems in order to take control of users' computers and steal data without any user interaction or social engineering lures. What makes this bug particularly nasty is that it has the ability to rapidly spread to other vulnerable computers within the network, experts say.
"You're talking about the ability to take full control of the system without any user interaction," said Miller. "You don't have to put in login credentials and you don't have to 'trick' somebody."
Security experts maintain that an exploit is loose in the wild, meaning that there is evidence that an attacker has already used the exploit code to conduct attacks on unsuspecting users. Miller said that Microsoft suspects that the code has been used in targeted attacks.
"Somebody in the world knows about this vulnerability. They know how to exploit the vulnerability," said Miller. "This (exploit code) is a money generator. People look to buy this stuff."
While Microsoft has provided possible workarounds for the vulnerability, experts advise users to simply apply the patch as soon as possible.
"Typically you want to test these updates because you don't want to break anything," said Miller. "I just want to get this thing and deploy it."
Security updates are available on the Microsoft Update, Windows Update and office Update sections of the Microsoft Download Center.