Latest on MS08-067


Hi, this is Christopher Budd. We’ve been getting some questions from customers this week asking if we’ve seen any changes in the threat environment around MS08-067. We do have some information that we can share so I wanted to pass that along.


Most importantly, we continue to see strong deployments of MS08-067. We’re glad that customers have moved as quickly as they have to download, test and deploy the update. That said, we continue to urge customers who haven’t yet deployed the update to do so.


We have seen some new pieces of malware attempting to exploit this vulnerability this week. And while so far, none of these attacks are the broad, fast-moving, self-replicating attacks people usually think of when they hear the word “worm,” they do underscore the importance of deploying this update if you haven’t already.


My colleagues over in the Microsoft Malware Protection Center (MMPC) have provided write ups on the new pieces of malware we’ve seen this week and have included signatures to help protect against these.


·        Trojan:Win32/Wecorl.A


·        Trojan:Win32/Wecorl.B


·        Trojan:Win32/Clort.A


·        Trojan:Win32/Clort.A!exploit


·        Trojan:Win32/Clort.A.dr


·        TrojanDownloader:Win32/VB.CQ


·        TrojanDownloader:Win32/VB.CJ


Again, none of these are broad, fast-moving, self-replicating attacks. They’re similar to the original attacks we detected, in that they focus on loading malware onto vulnerable system. They’re also similar in that the overall scope of these attacks is very limited. The largest of these attacks are those associated with Clort family and we’ve seen well below fifty attacks worldwide.


Overall the threat environment remains similar to what it was last Monday when we released Microsoft Security Advisory 958963.  The publically available exploit code has resulted in limited malware attacks seeking to exploit the vulnerability. This is in-line with what Mike said we should expect last week. We expect we’ll continue to see new pieces of malware  over the coming days and weeks,  and our colleagues over in the MMPC will continue to add write-ups and signatures for them.


We’ll continue to watch and update you of any important new developments.


Thanks


Christopher


*This posting is provided “AS IS” with no warranties, and confers no rights*


Comments (8)

  1. Anonymous says:

    Kurzbeschreibung: Sicherheitsupdate, das eine kritische Lücke in der Netzwerkprogramm(ier)schnittstelle (API) von Windows bzw. dem zugehörigen Windows Server Dienst und hier des RPC ("Remote Procedure Call") schließen soll, durch die ein Angreifer von

  2. Anonymous says:

    Looks like Christopher Budd over on the MSRC blog has another update on MS08-067 for us.  Overall

  3. Anonymous says:

    Hi, this is Christopher Budd. We’ve been getting some questions from customers this week asking if we

  4. Anonymous says:

    Hi, this is Bill Sisk A while back we discussed the fact that we’re likely to see new pieces of malware

  5. Anonymous says:

    Hi, this is Bill Sisk A while back we discussed the fact that we’re likely to see new pieces of malware

  6. Anonymous says:

    Feed: The MicrosoftSecurity Response Center (MSRC) Posted on: Tuesday, November 25, 2008 7:48 PM Author

  7. Anonymous says:

    Aggiornato il 18/12/2008 ore 12:00 Dicembre 2008 17 dicembre: rilascio straordinario (OOB) bollettino