Microsoft released a security update today that fixes a vulnerability that affects all supported versions of Windows. On some versions of Windows, an unauthenticated attacker can remotely execute code on a vulnerable computer. Basically if file sharing is enabled and the security update is not installed yet, the computer is vulnerable. File sharing is enabled in several scenarios though it is disabled by default in XP SP2 and newer operating systems. See the "Security Vulnerability Research & Defense" blog for further information. Security Bulletin MS08-067 also provides more details. Microsoft strongly recommends that you update your computer(s) immediately.

We are already seeing a small number of attacks using this vulnerability. The situation can change now that the security update is public. We have seen cases in the past where information on how to exploit a newly updated vulnerability was posted to the web only a few days, or even hours, after a security update is released. Did we already mention that we recommend you quickly install the security update?

We have detection for the current attacks. Its name is Exploit:Win32/MS08067.gen!A and it is included in VDM update version 1.45.1012.0 and higher. We released these VDMs this morning shortly after 10 AM PDT. These current attacks will be detected when the attack file is copied to the victim’s computer, for example, as part of its self replication. Note that we are not aware of any self replicating malware that is exploiting this vulnerability at the moment. This update can detect the current attacks and we will continue to update should more be created. Our team, the Microsoft Malware Protection Center, is on the alert and is closely monitoring the situation.

Currently, attacks try to download a trojan named n2.exe to the victim’s computer and there are now two different versions of this binary. Our products are able to detect both files as TrojanSpy:Win32/Gimmiv.A. This trojan drops another DLL that we detect as TrojanSpy:Win32/Gimmiv.A.dll. The malware deletes itself after it executes so you may not find it even on systems that were previously infected. Our products provide real-time protection that will block that malware from being copied to the hard drive.  You can read more details about this malware in our encyclopedia write ups.

Windows Live OneCare safety scanner, Windows Live OneCare and the various Forefront products include these detections. If you believe that you identified new malware that is exploiting this vulnerability, or other malware, please let us know by submitting that file to our portal.

So get protected, and the sooner, the better.

Ziv Mador
Microsoft Malware Protection Center