The US Department of Homeland Security (DHS) said yesterday that a security vulnerability revealed by a recently released Microsoft security patch could endanger the country's critical infrastructure. In a rare move, the DHS recommended that users install the Microsoft patch as quickly as possible.
Described in Microsoft Security Bulletin MS06-040, the vulnerability affects the Server service in Windows Server 2003, Windows 2003 Service Pack 1 (SP1), Windows 2003 x64 Editions, and Windows 2003 for Itanium-based systems; Windows XP SP1 and SP2 and XP Professional x64 Edition; and Windows 2000 SP4. According to the bulletin, the vulnerability could let an attacker "take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
According to the DHS, the vulnerability described in the bulletin "could impact government systems, private industry and critical infrastructure, as well as individual and home users." A sample exploit for the vulnerability has already been published on the Web, and security researchers warn that a worm based on this code could spread quickly. Obviously, it's notable that the DHS has also issued a public warning.
Bulletin MS06-040 was just one of nine security bulletins Microsoft issued Tuesday as part of its regularly scheduled monthly patch release. The bulletins addressed 12 security vulnerabilities, 9 of which were rated critical. It's been a banner year for Microsoft security patches: The software maker has already issued 51 security bulletins fixing 98 vulnerabilities, 64 of which were deemed critical. That's almost as many vulnerabilities as the company fixed in 2004 and 2005 combined. And security experts say no end is in sight: They expect another large set of Microsoft security patches next month.