Microsoft issues emergency Windows fix
Microsoft Corp. issued an emergency patch for its Windows operating system on Thursday, outside of its regularly scheduled monthly updates, to plug holes that are already allowing hackers to take control of computers.
The update carried Microsoft's maximum severity of "Critical" and applied to Windows 2000, XP and Server 2003. A lesser fix rated "Important" was also issued for Vista and Server 2008.
The vulnerability, Microsoft said, is caused by the operating systems' improper handling of specifically crafted remote procedure call requests. Attackers have already begun limited, targeted attacks. Successful attacks would allow hackers to take control of a users' system, the company said.
Microsoft also said that aside from the patch, Windows Firewall can be used to block such attacks.
"It is possible that this vulnerability could be used in the crafting of a wormable exploit," Microsoft warned in its security bulletin. "Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter."
Under the older Windows operating systems, hackers can access networks as anonymous users. They can still access networks using Vista and Server 2008, but they need to be an authenticated user.
The Redmond, Wash.-based company said it discovered the flaw itself, rather than through a security firm or by monitoring "chatter" on hacker websites.
Microsoft normally issues Windows updates on the second Tuesday of each month. The updates have become known as "Patch Tuesday."
The company called the unscheduled update an "out-of-band" release.