Microsoft issues 'critical' security alert

A successful exploit would allow remote code execution on the target system

Microsoft has issued a 'critical' fix for Windows users following reports of targeted attacks against a vulnerability in the server component for all currently supported versions of Windows and Windows Server.

An attacker could exploit the flaw by sending a specially-crafted Remote Procedure Call packet. A successful exploit would allow the attacker to remotely execute code on the target system.

The reported attacks are believed to be targeted and not widespread, but Microsoft is releasing a fix for the flaw through its automatic update services.

The bulletin is rated 'critical' for all versions of Windows and Windows server with the exception of Windows Vista and Server 2008, which carry a less severe 'important' risk due to protections which limit the attack to authenticated users.

Microsoft normally prefers to release all security updates as a single download on the second Tuesday of each month. When in-the-wild attacks occur, however, the company will sometimes release unscheduled 'out of cycle' security fixes.

Part of the risk, according to experts, comes from the dangerous nature of the vulnerability. Because it can be exploited without any user interaction, a malware infection could spread silently among millions of computers without detection.

Security firm Lumensia issued a statement urging users and administrators to update their systems as soon as possible.

"An exploit designed around this vulnerability can propagate without user interaction from machine to machine, similar to worms from years ago such as Code Red and Nimda," said the company.

"As this security update addresses a vulnerability that is currently being exploited, IT administrators should take immediate action to patch it."

Users can obtain the fix via the Microsoft Update or Windows Update components, or through the company's direct download site.