Microsoft is rushing out an emergency security fix outside of its regular patch schedule for Windows users.
Microsoft posted the fix at 10 a.m. Pacific time today. It applies to all versions of Windows, from Windows 2000 up to Windows Server 2008. However, the advisory on the flaw said it is of less serious risk for users of the Windows Vista and Server 2008.
Microsoft (NASDAQ: MSFT) does not disclose specifics about vulnerabilities in advance so as not to give malicious hackers a roadmap to an exploit. This bug is apparently not known and there are no zero-day exploits in the wild, thus far.
However, when Microsoft issues a fix, it’s not uncommon for hackers to reverse-engineer the fix and use that to craft malware targeted at people who are slow to patch their machines.
For the company to issue a fix out of band, and with such urgency, would indicate a severe vulnerability. The only thing Microsoft would say
about the vulnerability is it is a remote execution exploit. This would allow specially-crafted code to take control of a user’s machine.
Microsoft will host a Webcast
to address customer questions on this fix today at 1 p.m. Pacific time.
Microsoft has issued out-of-band alerts in between its monthly Patch Tuesday fixes, but usually those are just warnings and perhaps a temporary fix, such as which service to turn off or what not to do.
The last time Microsoft actually pushed out a fix between Patch Tuesdays was in April 2007, when the company fixed a bug in Windows’ animated
cursor files. That flaw was publicly known and would allow for “drive-by”
installation of malicious code, where a computer could be infected simply by visiting a site with the malware hidden away.