Security experts said the MS06-040 bug was the worst of the 23 patched by Microsoft this week. Now they say it's being used in attacks.
A day after Microsoft posted a dozen patches for Windows and Office, the one pegged by security analysts as the most dangerous is being used in attacks, the federal cyber-agency said.
According to an advisory issued Wednesday by US-CERT, the arm of the Department of Homeland Security that disseminates information about developing computer threats, an active exploit of the buffer overflow bug in Windows' Server service has been confirmed.
"If a remote attacker sends a specially crafted packet to a vulnerable Windows system, that attacker may be able to execute arbitrary code with system privileges," US-CERT said in the warning.
In its MS06-040 security bulletin, Microsoft spelled out the problem with Server service, a component responsible for sharing of local resources such as drives and printers, with others on the network. Attackers could exploit the buffer overflow vulnerability, Microsoft said, without any user intervention.
Tuesday, security experts agreed that the MS06-040 bug was the worst of the 23 patched by Microsoft. That feeling only intensified Wednesday, as others, including Microsoft itself, weighed in.
"Potentially, there a lot of folks who could be vulnerable [to this vulnerability]," said Patrick Martin, senior product manager with Symantec's security response team. Add that to a hands-off exploitation of the bug and you have "a pretty potent combination," he added.
"Users may not even know [an attack] has happened."
For its part, Microsoft took the unusual step of highlighting the Server service flaw as the most critical of 16 critical bugs patched Tuesday. In an entry to the Microsoft Security Response Center's official blog, the team called out the vulnerability as first among equals.
"While we always recommend applying any updates rated "Critical" as soon as possible, we are recommending that customers give priority to MS06-040 for testing and deployment due to technical specifics around the vulnerability," the MSRC advised.
The Business of Going DigitalDigital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.