Latest news on MS08-067

Hi, this is Christopher Budd. We’ve been getting some questions from customers this week asking if we’ve seen any changes in the threat environment around MS08-067. We do have some information that we can share so I wanted to pass that along.

Most importantly, we continue to see strong deployments of MS08-067. We’re glad that customers have moved as quickly as they have to download, test and deploy the update. That said, we continue to urge customers who haven’t yet deployed the update to do so.

We have seen some new pieces of malware attempting to exploit this vulnerability this week. And while so far, none of these attacks are the broad, fast-moving, self-replicating attacks people usually think of when they hear the word “worm,” they do underscore the importance of deploying this update if you haven’t already.

My colleagues over in the Microsoft Malware Protection Center (MMPC) have provided write ups on the new pieces of malware we’ve seen this week and have included signatures to help protect against these.

· Trojan:Win32/Wecorl.A

· Trojan:Win32/Wecorl.B

· Trojan:Win32/Clort.A

· Trojan:Win32/Clort.A!exploit

· Trojan:Win32/Clort.A.dr

· TrojanDownloader:Win32/VB.CQ

· TrojanDownloader:Win32/VB.CJ

Again, none of these are broad, fast-moving, self-replicating attacks. They’re similar to the original attacks we detected, in that they focus on loading malware onto vulnerable system. They’re also similar in that the overall scope of these attacks is very limited. The largest of these attacks are those associated with Clort family and we’ve seen well below fifty attacks worldwide.

Overall the threat environment remains similar to what it was last Monday when we released Microsoft Security Advisory 958963. The publically available exploit code has resulted in limited malware attacks seeking to exploit the vulnerability. This is in-line with what Mike said we should expect last week. We expect we’ll continue to see new pieces of malware over the coming days and weeks, and our colleagues over in the MMPC will continue to add write-ups and signatures for them.

We’ll continue to watch and update you of any important new developments.




Outlook 2007 SP2 will force Outlook to “shutdown”

I’ve been waiting for this feature (as I’m sure most have) since Outlook was introduced.  When you shut down Outlook, it never really shuts down – or takes a long, long time to do so.  The Outlook.exe process just sits and eats memory for eons, it seems.

SP2 for Outlook 2007 will finally fix this (fingers crossed).

How did ConfigMgr help you during the critical patch rollout?

I’ve heard from a few others that deploying the critical update the past couple days really made ConfigMgr shine.  They say that ConfigMgr has completely alleviated the patching woes of the past.

Did it help you?  Did ConfigMgr make your patching life easier?  Should ConfigMgr be marketed more surrounding it’s awesome patching capabilities?

Drop me a note and let me know.

Special Live OneCare Message for the October 23, 2008 out of band update

Because I continually test Live OneCare updates, I run OneCare on my computer exclusively.  This is the first time an update from Microsoft has produced the following message (and, yes, Microsoft is actually misspelled in the message):

Current Advisory
October 23, 2008 Advisory: Important information about a Windows security update

Micrsoft released a critical security update for a recently identified security vulnerability (Microsoft Security Bulletin MS08-067). As long as your Windows Live OneCare status remains Good (green), Windows Live OneCare is helping to protect you by automatically applying the latest security updates and virus signatures. If your status is At Risk (yellow or red), please take the requested action(s) to ensure that your computer is protected.
You may also run a manual check of Windows update by following the steps below:

  1. Open Internet Explorer.
  2. In the Tools menu, click Windows Update.
  3. Follow the instructions to check for any applicable updates.