The Department of Homeland Security (DHS) issued the rare advisory after Microsoft announced a dozen patches for vulnerablities in the Windows software as part of the company's monthly security bulletin. What apparently grabbed the department's attention is that one of the flaws opens a back door to a computer without any action by the user.

In urging home users and businesses to apply the MS06-040 patch, the DHS said that attempts to exploit the flaw were imminent, and that attacks on Windows could impact government systems, businesses, and critical I.T. infrastructure . In fact, such attacks have already been reported.

According to Microsoft, the flaw allows remote code execution and impacts Windows 2000 Service Pack 4, Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2, as well as versions of Windows Server 2003.

A Truly Critical Flaw

"This bears all of the hallmarks of a potentially serious problem," Forrester Research security analyst Paul Stamp said. "It is installed by default, it may be enabled by default, and it is already being exploited."

Given those characteristics, Stamp suggested, the DHS felt it had to take action and prompt users to apply the appropriate patch as soon as possible. "We have already seen the widespread problems associated with the Zotob and Blaster worms, which exploited a similar vulnerability in Windows," he said.

Stamp added that the "critical" classification may cause problems for businesses in particular because Microsoft uses the term to define any issue that allows remote execution of code. "Some of these problems, as with a media player, can be easily fixed by disabling an application. But all users need to know if a worm or virus can be installed and enabled by default."

Users can apply the Microsoft MS06-040 security patch at http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx. Home users may also visit Windows Update at http://update.microsoft.com and select "express" to install critical security updates, including the MS06-040 fix.

The U.S. Computer Emergency Readiness Team (US-CERT), and arm of the DHS, is collaborating with Microsoft to minimize the adverse impacts from this vulnerability. US-CERT has issued an alert through the National Cyber Alert System and conducted briefings with federal CIOs and chief information security officers.