MS08-067

I think this is the second or third time MS have published an out of cycle patch, and it may be the first proper Windows (as opposed to IE or Office) vulnerability to get this treatment.

It probably deserves it. When I read the notice, my heart sank. I remember staying up thirty-six hours in August 2003 dealing with Nachi/Welchia running through our systems because we didn't suceed in patching MS03-026. It didn't help that I was pissed as a fart for the first six hours or so -- having been hauled out of the pub at 10PM by an aggrieved network engineer watching our traffic heading through the roof -- and my boss had to hide me in the machine room trying to figure out what was going on, while she explained to her boss that she'd sent me home. What did help was that it used ping to explore the network, and it dropped nice clear signature files. That night I experienced the sheer beauty of Cisco VACLs (level 2 filters) when I found we could use them to suppress ICMP, and that left the worm blind enough for us to clean up by hand, though I didn't dare turn it back on for a week, and we left the filter on the link to Group for years....

That vulnerability was in DCOM -- pretty important, but possibly fixable by switching off the service in the registry. This one is SMB, and there's no switching that off. You may as well shut down.  Oh, and a modern malware wouldn't make the same mistakes as nachi, or be so gentle to its hosts. So I was pretty uncompromising all Friday, and reading the increasingly nervy statements from MS, I really don't think I was too rough. We're inserting this patch as a special into the October/September patch cycle that was just starting its route to live on the Friday. We'll have to re-do all the test servers. I hope that's enough.