That's because WINS -- Microsoft's name server for Windows networks -- is required for many older third-party or custom-built applications, called "legacy" programs, said Andrew Storms, director of security operations at nCircle Security. "There's so much legacy that relies on WINS [that] our gut instinct is that most will have it installed in the data center," said Storms.

Like Carey, Storms said Microsoft, intentionally or not, softened the warning by telling customers WINS isn't installed by default. "They seem to be downplaying it," Storms said. "It is a network-based remote code possibility, so it comes with some trepidation."

Jason Miller, the data and security team manager for Shavlik Technologies, agreed. "There are more networks with WINS than most people think," he said. "Not only do some very-old legacy applications require it, but some admins, those who inherited a network or those with less tech savvy, may not even know it's installed."

Because Microsoft last patched WINS in 2009, it's possible that the component is active without admins knowing it, Miller argued.

One researcher, however, said Microsoft wasn't downplaying the WINS bug.