Microsoft seems to have broken with the “Patch Tuesday” scheduled release cycle with the urgent release of MS08-67 earlier today after having detected in the wild attacks against netapi32.dll. The vulnerability is in the RPC connector we know and love so well ( Blaster, Welchia, Nimda …). ISC points out quite nicely that this could be the vector of choice for the next Generation worm, and have adjusted their infocon to Yellow accordingly. I suspect that we could see such a bit of code comming out within the next 3-5 days since there is already existing exploit source for blaster , and some of the reverse enginering and weaponization techniques based on patchers are rumoured ot be quite advanced. I supec we are either going to see a a payload of some kind of destructiive nature ( Us Elections anyone?) or in a somewhat more insidous (now why do the Ordos spring to mind) form a bonet zombie.
I’ve been patiently waiting for three years to catch a new worm on my telescopes, so I I’m ready and waiting.
Windows 2000, XP and Server 2003 are all listed as critical targets, with Vista and Server 2008 being vulnerable as well, but potentially able to limit the damage due to their newer some what more modular and layered security design. For Operating systems other than the latter two, this release also effectively updates MS06-040
Christopher Budd from the Microsoft Security Response Center has a nice little writeup about it, with further details on the Official release notes for MS08-67. Also from a Microsoft Perspective, Michael from the Security Develoment Lifcycle has a nice piece titled MS08-067 and the SDL in which he actually explains the bug itself.
Microsoft have also gone as far as to provide a webcast on the subject.
Update: Infosec blogspace is all a twitter with this. I’ll add relecant content as I find it.
