Monday Update on Graweg

So I am back to give what I hope is the last update on the recent MS06-040 exploit. By the way, this is Adrian Stone again. As many of you know from the recent posts, and recent Advisory publication we have been working all weekend to stay on top of the Win32/Graweg issue so I thought it would be a good idea to update you with the current status as various enterprises and organizations around the world have come online.

We have been seeing activity related to Graweg taper off. From our analysis and our work with our partners in the MSRA we still believe that this has been a relatively contained issue that has only affected Windows 2000. However we are in no way underplaying the severity of the vulnerability addressed in MS06-040: we continue to urge customers to deploy and test the update with a heightened sense of urgency.

It also looks like the message to download and install the update has also been heard loud and clear as we see customers continuing to download and deploy the MS06-040 update.
Speaking of downloading updates I also want to clarify some questions I have heard lately regarding why some customers have seen MS06-040 downloaded or installed while some of the other updates have not appeared yet during the same interval. With Windows Update we have the ability to prioritize updates in order to ensure that we are providing the broadest customer distribution possible  for a particular update or set of updates given the relative threat. Prioritizing of the updates is done taking into account the threats identified with each individual release. As we have seen and has been identified by others the threat presented by the vulnerability addressed in MS06-040 prompted us to do everything possible to ensure that customers received the update with the highest possible priority. The is a normal behavior and if you have not seen the rest of this months updates yet on your computer rest assured they are coming and this is perfectly normal.
If you want to read more about how Windows Update works feel free to check out this article:

We’ve also made a minor update to the MS06-040 security bulletin today to add additional information about what the impact might be of blocking ports 139 and 445 within a corporate environments, as well as a pointer to documentation of a known issue affecting some applications that copy very large chunks of memory after the update is applied. In working with our support personnel, this is only affecting a small set of customers and no changes are planned to the updates included in MS06-040 – so customers are still recommended to apply that update as soon as possible.

Rest assured we will keep monitoring the situation and if we identify any new threats affecting MS06-040 we will announce it here on the blog and of course give authoritative guidance on the current Advisory that is published.



*This posting is provided “AS IS” with no warranties, and confers no rights.*