Microsoft shipped MS08-067 out of cycle on 23 October. The vulnerability — in the Windows Server Service — allows remote code execution at SYSTEM level on unpatched hosts. Exploitation is already visible; the patch deployment is the operational priority for the next several weeks.
This is a longer post because the vulnerability is severe and the operational implications matter.
What the vulnerability is
The technical mechanism: a buffer overflow in srvsvc.dll, the Windows Server Service. A specifically-crafted RPC request triggers the overflow; successful exploitation gives the attacker SYSTEM-level code execution.
The vulnerability is exposed on TCP port 445 (SMB). Authentication is not required on Windows 2000, XP SP2, and Server 2003; authentication is required on Vista and Server 2008 (which limits but does not eliminate the unauthenticated attack surface).
The affected platforms include essentially all current Windows versions. The vulnerable population is large; the patching response is critical.
Why the out-of-cycle release
Microsoft shipped MS08-067 ahead of the regular November Patch Tuesday because exploitation was already visible. Specific limited targeted exploitation was observed prior to Microsoft's patch availability; the cumulative risk justified out-of-cycle release.
This is the third or fourth out-of-cycle ship in the past year. The Patch Tuesday rhythm is being preserved but with bounded exceptions for severe active-exploitation cases.
What is being observed
Specific patterns visible in the days since the patch shipped:
Public exploit code is widely available. Multiple researchers published proof-of-concept code within hours of the advisory; Metasploit modules followed within days; specific operational exploits are now circulating.
Targeted exploitation continues. The pre-patch exploitation appears to have been targeted at specific organisations; the cumulative pattern suggests intelligence-gathering rather than mass compromise.
Scan volume is elevated. Inbound scanning for TCP 445 has spiked across the past week. The patterns suggest both opportunistic scanners and targeted reconnaissance.
No mass-propagating worm yet. As of writing, no Sasser-class self-propagating worm has emerged. The patch-to-worm window for previous similar vulnerabilities (Sasser, Blaster, Zotob) has been days to weeks; the current case may follow the same pattern.
What operators should do
For organisations running Windows infrastructure:
Apply MS08-067 immediately. The vulnerability is severe; the exploitation is active; the deployment urgency is real.
Block port 445 at network perimeters. No legitimate service should be exposed on this port across an internet boundary.
Block port 445 on internal segments where possible. Lateral spread will be a substantial component of any operational impact. Segmentation bounds the cumulative internal compromise.
Audit for compromised hosts. Specific signatures for known exploitation patterns are widely available; specific monitoring catches active exploitation.
Review domain-controller exposure specifically. Domain controllers running unpatched Server Service represent particularly high-value targets; specific attention to the domain-controller patching cadence matters.
For organisations running Windows 2000 specifically:
The migration discussion is now urgent again. Windows 2000 remains structurally vulnerable; specific patches will eventually stop; the operational risk grows over time.
The patch is non-optional. Even where migration is planned, current Windows 2000 hosts must be patched.
What I am observing at Gala Coral
The general pattern (with appropriate confidentiality):
The patching discipline held. Windows infrastructure was patched within 48 hours of the out-of-cycle release. Cumulative exposure during the active-exploitation window has been bounded.
Inbound scan activity has been substantial. TCP 445 reconnaissance has spiked; the patterns match the public reporting; network filtering bounds the cumulative volume reaching internal hosts.
No internal compromise to date. The combination of fast patching, network filtering, and internal segmentation has produced bounded operational impact.
The cumulative observation: mature operational discipline absorbs incidents like this with bounded cost. The investment over years continues to pay back.
What I am paying attention to
Three things over the next several weeks.
Whether a Sasser-class worm emerges. 60% probability. The vulnerability supports worm-style exploitation; the cumulative patch deployment will determine whether a worm finds enough vulnerable hosts to propagate widely.
Specific cumulative compromise across the long-tail of operators. Specific organisations with slower patching cadences will be more substantially affected.
Specific commercial-cybercrime use of compromised hosts. 80% probability. Hosts compromised through MS08-067 will be added to existing botnet infrastructure.
For my own continued writing: continued tracking of MS08-067 exploitation. The cumulative archive grows.
More in time.