Microsoft Issues Critical Windows Patch

The flaw is a buffer overflow in a component of the Remote Procedure Call (RPC) protocol that is used by Windows. The vulnerability affects an interface with RPC that deals with message exchange over TCP/IP port 135, according to Microsoft. An attacker who exploited the flaw could install programs, change data or create new accounts on an affected system.

The Redmond, Wash.-based company rated the vulnerability as critical.

"Microsoft strongly encourages all customers to download and apply the patch," said Jeff Jones, senior director of Trustworthy Computing security at Microsoft.

The patch is available on Microsoft's Web site in Microsoft Security Bulletin MS03-026. The vulnerability affects Windows NT 4.0, NT 4.0 Terminal Services Edition, XP and 2000, as well as Windows Server 2003.

A security organization in Poland called The Last Stage of Delirium Research Group notified Microsoft of the vulnerability earlier this month, Jones said.

In addition to applying the patch, enterprise customers should protect themselves with a firewall that is configured to block port 135, which is standard practice, he said.