The US Department of Homeland Security (DHS) has issued a further warning over the major flaw disclosed earlier this month affecting Microsoft's key operating systems.

After the alarm was raised on 16 July by Microsoft, the DHS issued its first warning eight days later that users should implement the patch.

The department has now reacted to the emergence of dangerous exploit code, as reported by vnunet.com here, by warning that it has seen been a big increase in scanning for vulnerable systems.

"Two factors are causing heightened interest in this situation: the affected operating systems are in widespread use; and exploitation of the vulnerability could permit the execution of arbitrary code," the DHS said in a statement.

"DHS and Microsoft are concerned that a properly written exploit could rapidly spread on the internet as a worm or virus in a fashion similar to Code Red or Slammer."

Given the number of potentially vulnerable systems, independent experts also fear that the situation could see the launch of a worm capable of infecting millions of PCs, leaving them in the hands of hackers or spammers.

"This is very important to patch as quickly as possible," said Graham Titterington, senior analyst at Ovum.

"This flaw isn't as immediately accessible as the problem that led to the Code Red situation since it deals more with internal than external communication.

"Nevertheless it can be used in that way and the fact it's so widespread is a major cause for concern."

The critical flaw is in Microsoft's Distributed Component Object Model Remote Procedure Call (RPC) interface.

The vulnerability involves the RPC protocol, which deals with inter-computer communications. Microsoft warned that, under certain circumstances, the RPC might not properly check messages sent to the PC.

A malformed message could be routed through port 135 and used to run code on the infected PC. Windows Exchange Server 2003, XP, 2000 and NT 4 are all affected.

The patch is available here.