Security 10748 Published by

A security bulletin update from Microsoft:



This alert is to notify you of the 16 August 2005 revision of Microsoft
Security Advisory (899588) Vulnerability in Plug and Play Could Allow
Remote Code Execution and Elevation of Privilege (899588).

This Security Advisory has been updated with information regarding
variations of an existing attack exploiting the vulnerability addressed
by the Microsoft Security Bulletin MS05-039 on August 9, 2005. Our
analysis has revealed that the reported worms are similar to the
existing worm called Worm:Win32/Zotob.A. These worms have thus far had a
low impact on customers.

Our initial investigation has revealed that these worms exploit the
Windows Plug and Play vulnerability remotely only against Windows
2000-based systems. For more information about these worms, to help
determine if you have been infected by these worms, and for instructions
on how to repair your system if you have been infected by these worms,
see the Zotob Security Incident Web site or the Microsoft Virus
Encyclopedia. For Microsoft Virus Encyclopedia references see the
"Overview" section.

Other versions of Windows, including Windows XP Service Pack 2 and
Windows Server 2003 are not impacted by Worm:Win32/Zotob.A, its
variations, and similar worms attempting to exploit the Windows Plug and
Play vulnerability, unless they have already been compromised by other
malicious software. Customers can protect against attacks attempting to
utilize this vulnerability by installing the security updates provided
by the Microsoft Security Bulletin MS05-039 immediately. The MS05-039
security bulletin is available at the following Web site.

Microsoft's investigation into this malicious act is ongoing so that we
can continue to understand how we can help support customers. We are
working closely with our anti-virus partners and aiding law enforcement
in its investigation.

Our investigation of these attacks has verified that they do not affect
customers who have installed the updates detailed in MS05-039 on their
computers. Microsoft continues to recommend that customers apply the
updates to the affected products by enabling the Automatic Updates
feature in Windows.

Microsoft is disappointed that certain security researchers have
breached the commonly accepted industry practice of withholding
vulnerability data so close to update release and have published exploit
code, potentially harming computer users. We continue to urge security
researchers to disclose vulnerability information responsibly and allow
customers time to deploy updates so they do not aid criminals in their
attempt to take advantage of software vulnerabilities.

This Microsoft Security Advisory is located at this location:
http://www.microsoft.com/technet/security/advisory/899588.mspx

Microsoft Security Advisories are located at this location:
http://www.microsoft.com/technet/security/advisory/default.mspx

If you have any questions regarding this alert please contact your
Technical Account Manager or Application Development Consultant.

Thank you,
Microsoft PSS Security Team