According to Christopher Budd of Microsoft, “This is a Critical vulnerability that is being actively attacked, though so far in a limited, targeted fashion.” (the Microsoft Security Response Center blog)

Since this initial update, the company reports an awareness of underground hackers “working to develop reliable exploit code for the vulnerability” that so far only results in denial of service.

You can obtain your patch from Microsoft’s Security Bulletin.  I recommend actually applying this one since it is the opinion of industry watchdogs that this exploit could be the potential focus of malware authors resulting in potentially more threatening results than DOS.  Besides, it never hurts to err on the side of caution and if you’re like most Windows users, you should be used to this kind of inconvenience by now.

Keep in mind when you perform your own update, to boot your system before you run the patch.  I don’t normally do this myself but it makes sense to know beforehand which services may already need your attention before you alter the systems that they affect.  And of course, don’t forget to create a restore point first as well.

After you’ve run the patch, reboot again just to make sure you’ve flushed unnecessary DLLs out of memory.  You should be good to go but in case something screwy happens, uninstall the patch and re-install again.

Personally, and against any other update reports that I’ve heard of, I lost use of Outlook’s ability to view my reading pane or send outgoing mail despite the fact the this patch supposedly has no bearing on Office apps.  I had to re-boot several times before regaining full control of Outlook.  Since I had performed no other maintenance of any kind and all things were running smoothly before the patch, I attribute the gliche solely to the patch.  So beware, but don’t panic.

Mac users will be relieved to know that this isn’t a patch you need to worry about, even if you’re running MS software.  The vulnerability affects only Windows PCs.

Not to sound fatalistic, I thought it appropo to cross-reference MS’s patch update with an article from The Register about the ease with which technically illiterate crooks are moving into cybercrime by easily acquiring and distributing viruses that they can pay grunt hackers a nominal fee for.  According to The Register, these fraud service products can be created and distributed via underground forums for the asking price of $300/mo.

Believe it or not, underground hackers have their use for Web 2.0 in their own string of social networking sites that consist of blogs, forums, podcasting, torrents, videos, you name it.

The Economic Times also reports that black market Underground Economy Servers are forums used by criminals to advertise and trade stolen information and services related to identity theft.  The kind of information we’re talking about can be anything from government issued IDs to credit cards, SSNs, SINs, PINs, debit cards, user accounts (incl passwords), email address lists and bank accounts.

And according to Symantec Corporation, you could purchase a stolen credit card number for $0.40 USD, an email password for $4, a full identity for $1-15, or bank account credentials ranging from $10 to $1K.

Who are these bad guys?  Much of this kind of activity is rumored to originate in Eastern Europe (esp Russia).  Not to be outdone, Brazil take the #1 spot for technical sophistication amongst online miscreants.

It should go without saying that it pays to keep up-to-date on all relevant updates and more importantly, to have some kind of system in place that provides reliable information.  One of my most trusted resources for Windows users is Windows Secrets. << That’s not an affiliate link so check them out.