Security experts said the MS06-040 bug was the worst of the 23 patched by Microsoft this week. Now they say it's being used in attacks.
A day after Microsoft posted a dozen patches for Windows and Office, the one pegged by security analysts as the most dangerous is being used in attacks, the federal cyber-agency said.
According to an advisory issued Wednesday by US-CERT, the arm of the Department of Homeland Security that disseminates information about developing computer threats, an active exploit of the buffer overflow bug in Windows' Server service has been confirmed.
"If a remote attacker sends a specially crafted packet to a vulnerable Windows system, that attacker may be able to execute arbitrary code with system privileges," US-CERT said in the warning.
In its MS06-040 security bulletin, Microsoft spelled out the problem with Server service, a component responsible for sharing of local resources such as drives and printers, with others on the network. Attackers could exploit the buffer overflow vulnerability, Microsoft said, without any user intervention.
Tuesday, security experts agreed that the MS06-040 bug was the worst of the 23 patched by Microsoft. That feeling only intensified Wednesday, as others, including Microsoft itself, weighed in.
"Potentially, there a lot of folks who could be vulnerable [to this vulnerability]," said Patrick Martin, senior product manager with Symantec's security response team. Add that to a hands-off exploitation of the bug and you have "a pretty potent combination," he added.
"Users may not even know [an attack] has happened."
For its part, Microsoft took the unusual step of highlighting the Server service flaw as the most critical of 16 critical bugs patched Tuesday. In an entry to the Microsoft Security Response Center's official blog, the team called out the vulnerability as first among equals.
"While we always recommend applying any updates rated "Critical" as soon as possible, we are recommending that customers give priority to MS06-040 for testing and deployment due to technical specifics around the vulnerability," the MSRC advised.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.