On Thursday, Microsoft issued a rare, out-of-cycle patch for a vulnerability in the Windows Server service that handles remote procedure calls, which allows programmers to run code either locally or remotely.
In issuing MS08-067, Microsoft warned: "It is possible that this vulnerability could be used in the crafting of a wormable exploit." Entitled 'Vulnerability in Server Service Could Allow Remote Code Execution (958644)', the specific vulnerability has been assigned a National Vulnerability Database designation of CVE-2008-4250.
Microsoft rates this patch as critical for Microsoft Windows 2000, Windows XP and Windows Server 2003, and important for Windows Vista and Windows Server 2008. It also affects versions of Windows 7 pre-beta in limited release. The patch replaces MS06-040.
Microsoft normally issues patches on the second Tuesday of each month, which has been deemed Patch Tuesday. But out-of-cycle patches are not without precedent. Recent examples include the Windows Animated Cursor Remote Code Execution Vulnerability (April 2007), a vulnerability in Vector Markup Language (September 2006) and a vulnerability in the Graphics Rendering Engine (January 2006).
Microsoft said there have been only limited and targeted attacks to date.
The company added that a firewall should block network resources from attacks from outside the enterprise perimeter.
The patch is available via Microsoft Update or the individual bulletin for MS08-067.
Talkback
The severity of the flaw, emphasized by the out-of-band patch, underscores the need for enterprises to consider automated patch management technologies.
The issue is, that unless you have automated methodology enterprise wide, you could be caught up in this because you're not going to have enough time to patch your systems.