Microsoft Issues Critical Security Patch For Windows XP, Windows Server 2003

The security bulletin, which affects Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003, is available for download from the company's Windows Update site.

The impact of the flaw--if exposed--is significant. It could enable anyone to gain access to most Windows PCs and run any code of the attacker's choice, Microsoft said. Microsoft has rated the vulnerabilities as critical, the highest level possible.

Many are worried about this set of vulnerabilities because they are similar to the RPC holes exploited by writers of the MSBlaster and Welchia worms.

As a result of the latest Windows vulnerability, for example, Symantec's Security Response on Wednesday raised the ThreatCon rating from a Level 1 to a Level 2.

Symantec said in a public statement that it has not seen "exploit code targeting this vulnerability in widespread public distribution but given the attention that the Microsoft RPC DCOM subsystem has received from the security community in recent weeks, Symantec believes that a working exploit may be launched in the near future."

According to one partner close to Microsoft, Windows programmers on the redmond, Wash., campus are gettng negative vibes for the latest batch of problems. "I heard the Windows team is getting pounded by senior execs for the latest security patch," said the partner. "Someone pretty high up was pissed because this latest patch was very similar to the Blaster [worm]one, and they should have seen it then."

Microsoft recommends systems administrators and solution providers that service customers' PCs to download and apply the patch, referred to as Security Bulletin MS03-039 824146. In addition, users can set up their PCs to automatically update the security patch from Windows Update.

This is the latest in a series of more than 20 fixes and security patches Microsoft has released since July. At a CRN Security Roundtable in New York Tuesday, some solution providers questioned the rationale for exposing news about the security holes to the outside world--especially to potential attackers.

However, Windows has been under severe attack by virus and worm writers this summer, and the company is under pressure to report areas of vulnerabilities and issue fixes as soon as possible, observers note.

While solution providers agree Microsoft is improving its responsiveness to security problems, at least one observer said customers and partners are getting irked by a deluge of security bulletins.

"For customers, I think the frustration level is increasing and may be starting to cause [them] to consider some alternatives for some applications," said Michael Cherry, a security analyst at Directions on Microsoft, a newsletter based in Kirkland, Wash. "They are certainly becoming aware of what these vulnerabilities are costing them. [And] for partners, they may see some opportunities for consulting on security, and they may be looking for alternatives in some cases."

One security consultant, however, told CRN that the barrage of attacks on the Windows client of late is minor compared with under-the-cover cybercrime that costs U.S. businesses billions of dollars and cyberterrorist activity that threatens national security. "They're a nuisance, and that's what gets the press, but hackers are doing way more damage that's unknown," said Gary Morse, president of Razorpoint Security, at the roundtable discussion.

However, while Microsoft continues to climb an uphill battle, law enforcement agencies are making progress punishing criminals who have caused significant productivity losses to U.S. businesses and government agencies.

On Wednesday, Reuters reported that Romanian police arrested and charged a 24-year-old Romanian man accused of unleashing a variant of the MSBlast worm. The man faces up to 15 years in prison for the cybercrime, police said Wednesday. Last week, an 18-year-old student in Minnesota was arrested for distributing a variant of MSBlaster.