Microsoft released a dozen security updates this month (which incidentally fix nearly two dozen flaws), but the updates don't include a fix for a known denial of service attack (DoS) that could cause an affected system to crash.

In late July the company acknowledged that a denial of service vulnerability exists in the Server Service. At the time Microsoft recommended that companies block ports 135 through 139 along with port 445 to defend against potential attacks.

Adrian Stone, who works in Microsoft's Security Response Center (MSRC), wrote in the MSRC blog that while the company did release "Security Bulletin MS06-040 Vulnerability in Server Service Could Allow Remote Code Execution (921883)," to correct known problems, that update does not include a fix for the previously known denial of service vulnerability. Stone said that the reason a patch for the DoS vulnerability wasn't included is because Microsoft became aware of the problem after it had completed its testing cycle for the MS06-040 security update.

However, the company is working on a patch to correct the DoS problem and as usual will release the update once its testing cycle is complete. So unless there are complications discovered in the testing process there's a good chance that the update will be part of Microsoft's next batch of security bulletins, currently scheduled to be released on September 12, 2006.

In regard to the latest patch for the Server Service, MS06-040, an exploit has been released in the form of a add-in package for Metasploit Framework. While the related vulnerability could allow a remote intruder to take complete control of an affected system, the Metasploit package exploit causes a buffer overflow, which results in a denial of service attack. Administrators should install Microsoft's patch as soon as possible to guard against attacks.