An attacker can exploit the flaw by sending the user a specially-crafted Remote Procedure Call packet. A successful exploit would allow the attacker to remotely execute code on the target system.
Though the reported attacks were believed to be targeted and not widespread, Microsoft is releasing a fix for the flaw through its automatic update services.
The bulletin is rated as critical for all versions of Windows and Windows server with the exception of Windows Vista and Server 2007, which have been issued a less severe "important" risk rating due to protections which limit the attack to authenticated users.
Normally, the company prefers to release all security updates as a single download on the second Tuesday of each month. When in-the-wild attacks occur, however, Microsoft will sometimes release unscheduled "out of cycle" security fixes.
Part of the risk, say experts, comes from the dangerous nature of the vulnerability. Because the vulnerability can be exploited without any user interaction, a malware infection could silently be spread amongst millions of computers without detection.
Security firm Lumensia issued a statement urging users and administrators to update their systems as soon as possible.
"An exploit designed around this vulnerability can propagate without user interaction from machine to machine, similar to worms from years ago such as Code Red and Nimda," said the company.
"As this security update addresses a vulnerability that is currently being exploited, IT administrators should take immediate action to patch this vulnerability."
Users can obtain the fix via the Microsoft Update or Windows Update components, or through the company's direct download site.
Microsoft issues new security alert
By Shaun Nichols on Oct 24, 2008 3:03PM