Microsoft warns on three critical bugs

Microsoft has warned Windows users of three 'critical' security vulnerabilities present in the Remote Procedure Call (RPC) service used in its Windows operating system.

The company has also provided a new patch for the earlier security vulnerability in a Windows Distributed Component Object Model RPC interface.

The first two vulnerabilities uncovered yesterday could allow a buffer overflow to enable hackers to execute arbitrary code, while the third could result in a denial of service (DoS) attack.

An attacker could exploit these vulnerabilities by crafting a packet and sending it to a vulnerable server.

Doing so would either allow the attacker to execute code on the victim's machine (buffer overflow vulnerability), or cause the machine to crash and restart (DoS vulnerability).

Microsoft warned that a malicious attacker could gain local system privileges on an affected system.

This would allow them to install programs, view, change or delete data, or create new accounts with full privileges.

The RPC service provides remote procedure calls between objects executing on two remote machines running the Windows operating system.

The following versions of Windows are affected:

• NT 4.0 Server (buffer overflow)
• NT 4.0 Terminal Server Edition (buffer overflow)
• 2000 (buffer overflow and DoS)
• XP (buffer overflow)
• Server 2003 (buffer overflow)

Windows users are advised to update their systems with the Microsoft patch which is available here.