Microsoft Patches Critical Vulnerability for XP, Vista, Windows 7, and Others

Redmond usually releases security patches once a month, on Patch Tuesday, but Microsoft's security experts are worried enough about a newly reported vulnerability in the Server service to post an "out-of-band" security update, MS08-067, yesterday for all versions of Windows from Windows 2000 SP4 through Windows Server 2008 and Windows 7 pre-beta. Microsoft hasn't issued a security update between Patch Tuesday releases since April 2007, so this is a significant security issue.

Although all supported versions of Windows are vulnerable, Windows 2000 SP4, Windows XP, and Windows Server 2003 versions are especially vulnerable to this flaw, which can permit remote code execution via a specially crafted RFC request.

According to the Security Bulletin summary for October, the vulnerability described in MS08-067 receives the highest Exploitability Index Assessment: 1 - Consistent exploit code likely. From the notes for MS08-067:

Consistent exploit code has been discovered in limited, targeted attacks, affecting Windows XP and Windows Server 2003. While this service is enabled by default on all affected platforms, exploitation is most likely on Microsoft Windows 2000, Windows XP, and Windows Server 2003....

If you're running Windows Update, install the update labeled KB958644. If you need to download and install the update manually, open  the Windows Operating System and Components section of the October security bulletin  and click the link for your operating system. The Windows 7 pre-beta updates for 32-bit and 64-bit versions are not listed in the October security bulletin, but can be obtained by clicking the links provided here.