Worm Risk Spurs Critical Microsoft Patch

A scary security flaw that would allow malicious worms to infect one PC and then automatically jump to others prompted Microsoft to release . The glitch is critical for both 32-bit and 64-bit versions of Windows XP and Windows Server 2003, and for Windows Server 2000. Microsoft says that targeted attacks exploited the hole prior to the patch's release, and that "detailed exploit code" is currently available online.

This marks that Microsoft has released a fix outside of its normal Patch Tuesday cycle; it wa s sparked by lessons learned from worm epidemics like Blaster and Slammer, which cost users billions of dollars to disinfect in 2003.

Though the new hole is a huge risk, protections put in place since the worms surfaced make another epidemic far less likely. Most important is Windows XP's default-on Windows Firewall: A worm crafted to attack the new flaw would have to establish an external connection, which firewalls usually block. If a PC has no firewall, however, or if it is set up to permit file sharing and an attack comes from an infected PC on the same network, the conquering worm could take over the targeted PC. Business networks, which typically have many PCs configured for file sharing, are thus at high risk.

Windows Vista and Windows Server 2008 have mitigating factors that reduce the risk from "critical" to "important," as rated by Microsoft. The company distributed the fix via Automatic Updates, but alternatively you can . That page also provides further information on the situation.

IE Fixes, Too

On its regular Patch Tuesday schedule, Microsoft supplied fixes for six bad holes in Internet Explorer, underscoring the need to upgrade to IE 7 as soon as possible.