Microsoft last week released a total of nine security updates with fixes for 14 separate vulnerabilities, four of which were given "critical" severity ratings by the software vendor.
Among the critical flaws, the ones that evoked the most concern among security analysts were the vulnerability in MSDTC, which is used by Windows to manage database, messaging and file-system transactions, and a hole in the COM+ service that's built into the operating system to handle resource management tasks.
The two flaws were detailed in a single security bulletin by Microsoft, which officially counted them and two that were less severe as just one vulnerability - a standard practice that the company uses when one patch can fix multiple security holes.
Both flaws could enable hackers to gain complete administrative control of unprotected servers and are similar to the vulnerability in a plug-and-play component of Windows 2000 that the creators of Zotob and its variants took advantage of in August.
But Russ Cooper, editor of the NTBugtraq newslist and a scientist at IT security vendor Cybertrust Inc. in Herndon, Va., said via e-mail that the newly discovered vulnerabilities are unlikely to give would-be attackers any more of an opening than they already had. "Systems vulnerable to an MSDTC worm are wide open to the Internet," he said. "Such systems are ripe for attacks of all sorts anyway."
Microsoft on Friday said it was aware of "isolated deployment issues" with the patch for the MSDTC and COM+ flaws. The company was "working with the limited amount of customers affected to help resolve the issue," a spokeswoman said via e-mail. It also posted a notice describing various system problems that could occur after installing the patch, plus workarounds for fixing them, she added.
The SANS Institute's Internet Storm Center in Bethesda, Md., said it had heard from more than two dozen people who reported that they had problems when they tried to install the patch.