Microsoft contacted me about a critical security flaw in various Windows versions, which is notable because this is the first such flaw to be found since the company released Windows Server 2003. The vulnerability, which affects the RPC (remote procedure call) functionality in Windows NT 4.0, 2000, XP, and 2003, could allow hackers to remotely gain control of victims' PCs, and the company recommends that all users of these products download a patch that fixes the problem. Customers using XP, 2000 with the latest service pack, or 2003, will be automatically protected if they've enabled the Auto Update feature, Microsoft told me.
The vulnerability was discovered by security researchers in Poland called "The Last Stage of Delirium," and Microsoft expressed its thanks that the group followed the correct procedure by alerting the software giant of the flaw so that it could create a fix before the flaw was discovered by hackers. A Microsoft representative told me Wednesday that the company has modified its Trustworthy Computing-oriented code review process to find vulnerabilities such as this proactively in the future.
In addition to the RPC vulnerability, Microsoft patched two other less critical vulnerabilities in XP and ISA Server Wednesday, I was told. Users not protected by Auto Update can visit the Microsoft Web site or Windows Update to download fixes for these vulnerabilities.
