Microsoft has released a patch for a critical flaw in Windows Exchange Server 2003, Windows XP, 2000 and NT 4.

The flaw involves the Remote Procedure Call (RPC) protocol, which deals with inter-computer communications. Microsoft warned that, under certain circumstances, the RPC might not check messages sent to the PC properly.

If a malformed message is sent to the target PC it can be routed through port 135 and used to run code on the infected PC.

A patch is available here.

"Microsoft has rightly classified this vulnerability as 'critical', said Pete Philips, penetration tester with security vendor Integralis.

"Any host with port 135 open to a hostile environment, such as the internet, is very vulnerable. We'd recommend patching as a matter of urgency."

The other two flaws are less serious. The first is a problem with Windows shell, the basic graphical user interface framework. If a hacker can introduce a corrupted desktop .ini file to the host PC they could then either crash the system or run software, although the flaw would not affect security settings.

The final flaw concerns ISA Server. To use it a hacker would have to set up his or her own ISA Server to host a web page containing malware.

A victim would be persuaded to visit the web page or would receive the web address in an HTML email.

The news is another blow to Microsoft's reputation, only last week it warned of three more flaws it had discovered.

More information and patches are available here.