Microsoft to Issue Emergency Security Update Today

Microsoft said late Wednesday that it plans to break out of its monthly patch cycle to issue a security update today for a critical vulnerability in all supported versions of Windows.

Redmond rarely releases security patches outside of Patch Tuesday, the second Tuesday of each month. The software giant isn't providing many details yet, but the few times it has departed from its Patch Tuesday cycle it has always done so to stop the bleeding on a serious security hole that criminals were using to break into Windows PCs on a large scale.

By Security Fix's count, this would be the fourth time since January 2006 that Microsoft has deviated from its monthly patch cycle to plug security holes. As shown by the stories in the linked examples above, Microsoft has fixed problems, each time, that were being actively exploited by bad guys to break into PCs.

Microsoft's advanced notification bulletin says the problem is critical on Windows 2000, Windows XP and Windows Server 2003, meaning this is a vulnerability that can be exploited through little or no help from the user. Redmond's labels the flaw "important" on Windows Vista and Windows Server 2008 machines.

Microsoft is expected to push out the update around 1:00 p.m. ET. The company also will reveal more details about the patch in a special Webcast. I'll have more information on this update as soon as the patch is out and details are released. Stay tuned.

Update, 12:00 p.m.: Corrected the time Microsoft is expected to release this patch today.

Update, 12:45 p.m. ET: A source of mine received some information from Microsoft saying the vulnerability stems from a critical, wormable problem in the Windows server message block service, a component of Windows used to provide shared access to files, printers, and other communications over a network. My source, who asked not to be identified because Microsoft has not yet publicly discussed the details, said Redmond has acknowledged that criminals have for the past three weeks been using the vulnerability to conduct targeted attacks. The source said that so far, fewer than 100 targeted attacks leveraging this flaw have been spotted by Microsoft's security team, but that Microsoft was rushing out this patch because the number of attacks appears to be increasing of late.

Update, 1:31 p.m.: Microsoft has released the update, MS08-067, which will soon hit Windows update as well. My source told me this was an SMB flaw, but he was only partly right.

The vulnerability lies with the Windows Server service, and more specifically with Microsoft's implementation of "remote procedure call" (RPC), a communications technology deeply embedded in the Windows operating system that allows a program to execute another process on a remote system. RPC vulnerabilities are extremely dangerous, as they can be used by a computer worm to spread malicious software to machines on a network with lightning speed. The infamous "Blaster worm" that attacked Microsoft and infected millions of Windows PCs in Aug. 2003 is probably the most recognizable example of malware exploiting an RPC flaw.

Microsoft does not release these so-called "out-of-band" updates lightly. I would highly recommend applying this patch as soon as possible, either by visiting Windows Update or enabling Automatic Updates. A quick scan with Windows Update on my Vista system offered the patch, which installed without incident (requires a reboot).