Posted by: Ken Harthun
Critical update, Malware, Microsoft Windows, Remote Code Execution, Security, Security bulletin, Vulnerabilities
Microsoft just released a critical update for a “privately reported” vulnerability in the server service:
This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.
Exploits are already being detected, according to the Microsoft Malware Protection Center:
Currently, attacks try to download a trojan named n2.exe to the victim’s computer and there are now two different versions of this binary. Our products are able to detect both files as TrojanSpy:Win32/Gimmiv.A. This trojan drops another DLL that we detect as TrojanSpy:Win32/Gimmiv.A.dll. The malware deletes itself after it executes so you may not find it even on systems that were previously infected. Our products provide real-time protection that will block that malware from being copied to the hard drive. You can read more details about this malware in our encyclopedia write ups.
I’m going to update the servers right now. Everyone should do the same.