Microsoft on October 23, 2008 did something out of the ordinary.  They released an emergency critical security update for Microsoft Windows (Effecting Multiple versions of the Operating System) on a Thursday.  This was an extraordinary change of pace for Microsoft, which normally releases their updates only on Tuesdays (known, less than affectionately, to the Microsoft world as “Patch Tuesdays”).

What does this tell us?  It tells us that this flaw is BAD, really bad – anything bad  enough to make Microsoft release this patch out of the normal cycle can’t be good.  The flaw, found in multiple versions of Windows, could allow an attacker to gain  access to an unpatched system to run malicious code (Read: Virus, Trojan, Worm, etc).  What’s more – several exploits have already been found in the wild.

The good news: If your system is set to automatically download and install updates daily, and you are behind a corporate firewall you are probably in the clear.  But if your system isn’t auto updating, or you don’t know, I highly suggest you install this (and all other) Microsoft security updates.

To download the patch – run windows update.  Or go to: http://www.microsoft.com/protect/computer/updates/bulletins/200810_oob.mspx

Remember, if you maintain a good working firewall, anti-virus application and regularly patch your system – you can go a long way towards preventing issues like these from affecting you.

For more information on the problem, see: http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

Some known exploits in the wild:
http://www.f-secure.com/v-descs/trojan-spy_w32_gimmiv_a.shtml
http://www.microsoft.com/security/portal/Entry.aspx?name=Exploit%3aWin32%2fMS08067.gen!A