Update on MS08-067

Hello everyone,


This is Christopher Budd once again. As I said in my last post, we aren’t done when we release an update. Our response teams are constantly watching the situation around the world to understand as much as possible what’s going on with things like the threat environment and the state of security update deployments.


Based on some of our latest situation reports I wanted to provide you with an update as of this morning. You’ve told us it’s helpful for you to have this information on an ongoing basis.


In terms of the security update itself, we’re seeing strong deployments worldwide. We also have no reports of known issues with the security update at this time.


In terms of the overall threat environment, we’ve not seen any major changes so far. We are aware that people are working to develop reliable public exploit code for the vulnerability. We are aware of discussion about code posted on a public site, but our analysis has shown that code always results in a denial of service, to demonstrate the vulnerability. So far, we’ve not seen evidence of public, reliable exploit code showing code execution.


Additionally, we’re not aware of any broad attacks or new malware seeking to exploit this vulnerability since we’ve released the security update on Thursday. While there have been a couple of reports of a “new worm”, these reports are actually inaccurate: they’re talking about malware we found in our investigation of the original targeted and limited attacks that we talked about in our posting on Thursday. Specifically, these reports are talking about TrojanSpy:Win32/Gimmiv.A and TrojanSpy:Win32/Arpoc.A (which is the specific attack associated with Exploit:Win32/MS08067.gen!A). Both of these are trojans, not self-replicating worms.


While deployments of the updates are happening quickly and relatively smoothly, and the threat environment hasn’t changed significantly since Thursday, we don’t want customers to take that as a sign to decrease their pace of, or even delay, deployments for this update.  This is a Critical vulnerability that is being actively attacked, though so far in a limited, targeted fashion. Those were the reasons we released this out-of-band and it is because of this that we continue to urge customers to aggressively test and deploy this update as soon as possible.


In addition, we are not relaxing our vigilance here. Our teams around the world continue to work around the clock, watching for any changes in the threat environment or issues that could impact customers’ ability to deploy these updates. As always, we will let you know through the MSRC weblog of any changes in this situation.




*This posting is provided “AS IS” with no warranties, and confers no rights.*