Spike in Attacks Causes Early Release of Windows Patch
On 2 April 2007 Microsoft said that it was planning to release a patch for Windows flaw, which scammers had already exploited for an attack, in the first week of April.
In its email, Microsoft wrote that it had actually planned to fix the vulnerability on 10 April in its monthly security update. However, owing to the public exploit, the company intended to make the patch available in the first week itself.
As testing was completed much before the anticipation, Microsoft had released the updates before scheduled time so that the customers could be protected, as per the email by a representative of Microsoft.
This announcement came after a weekend of heightened warnings for the security companies and reports from the Internet Security Response Team of China that a worm was in the wild and made use of the unfixed hole in the software. Symantec & other security companies corroborated the presence of Fubalca worm on 1 April 2007.
There was an increase in the attacks against the flaw in the last weekend of March, Christopher Budd, Program Manager for Microsoft, notified in Security Response Center blog of the company on 1 April 2007. Additionally, the company was well aware of the public-disclosure of the "proof of the concept" code. Keeping these points in mind and also considering the feedback from customers, the company had been working 24x7 for testing the latest update. Also, the company had planned to release it security update on 3 April 2007 itself.
Microsoft said that its data analysis suggested that the attacks as well as the impact of attacks on customers were limited. However, it encouraged the users to download the patch when made available. Users having the automatic update feature of Windows turned on would automatically receive the patch. Customers could also download the patch manually.
Releasing a fix ahead of its schedule isn't new. Microsoft had released a similar "out of cycle" patches in January & September 2006 as well.
Those who find it impossible to wait until 10 April 2007 can download two unofficial fixes that are available now. The first one is from eEye Digital Security Inc while another, released on 1 April 2007, came from Zeroday Emergency Response Team - a volunteer group.
Related article: Sophos’ List Of Twelve Spam Relaying Countries Is Out
» SPAMfighter News - 11-04-2007