Latest on MS08-067

Hi, this is Christopher Budd. We’ve been getting some questions from customers this week asking if we’ve seen any changes in the threat environment around MS08-067. We do have some information that we can share so I wanted to pass that along.

Most importantly, we continue to see strong deployments of MS08-067. We’re glad that customers have moved as quickly as they have to download, test and deploy the update. That said, we continue to urge customers who haven’t yet deployed the update to do so.

We have seen some new pieces of malware attempting to exploit this vulnerability this week. And while so far, none of these attacks are the broad, fast-moving, self-replicating attacks people usually think of when they hear the word “worm,” they do underscore the importance of deploying this update if you haven’t already.

My colleagues over in the Microsoft Malware Protection Center (MMPC) have provided write ups on the new pieces of malware we’ve seen this week and have included signatures to help protect against these.

·        Trojan:Win32/Wecorl.A

·        Trojan:Win32/Wecorl.B

·        Trojan:Win32/Clort.A

·        Trojan:Win32/Clort.A!exploit

·        Trojan:Win32/Clort.A.dr

·        TrojanDownloader:Win32/VB.CQ

·        TrojanDownloader:Win32/VB.CJ

Again, none of these are broad, fast-moving, self-replicating attacks. They’re similar to the original attacks we detected, in that they focus on loading malware onto vulnerable system. They’re also similar in that the overall scope of these attacks is very limited. The largest of these attacks are those associated with Clort family and we’ve seen well below fifty attacks worldwide.

Overall the threat environment remains similar to what it was last Monday when we released Microsoft Security Advisory 958963.  The publically available exploit code has resulted in limited malware attacks seeking to exploit the vulnerability. This is in-line with what Mike said we should expect last week. We expect we’ll continue to see new pieces of malware  over the coming days and weeks,  and our colleagues over in the MMPC will continue to add write-ups and signatures for them.

We’ll continue to watch and update you of any important new developments.



*This posting is provided “AS IS” with no warranties, and confers no rights*