CYBERSPACE – Microsoft Corp. released a report Tuesday identifying 12 security flaws, nine considered “critical,” and provided software updates on its website to patch the holes. Yesterday, the U.S. Dept. of Homeland Security (DHS) issued an unusual alert of its own, urging PC users to apply one of those patches “as quickly as possible.”The specific patch identified in the DHS release is MS06-040, a fix available for download at http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
Users can also go to http://update.microsoft.com and select “express” to obtain a variety of critical security updates, including MS06-040.

“Windows Operating Systems users are encouraged to avoid delay in applying this security patch,” the DHS recommended in Wednesday’s statement. “Attempts to exploit vulnerabilities in operating systems routinely occur within 24 hours of the release of a security patch.”

According to security experts interviewed by CNet News, ZDNet and other tech sector news sources, the security hole patched by MS06-040 is similar to the bug that allowed the infamous “MSBlast” worm to infect thousands of PCs in 2003.

Concern over an MSBlast-style worm prompted the DHS release, in which DHS warns that the vulnerability “if exploited, could enable an attacker to remotely take control of an affected system and install programs, view, change, or delete data, and create new accounts with full user rights.”

DHS added that the Windows vulnerability in question “could impact government systems, private industry, and critical infrastructure, as well as individual and home users.”

On the Microsoft Security Response Center (MSRC) Blog, MSRC team member Christopher Budd acknowledged that Microsoft was aware of one “very, very limited exploitation of the vulnerability addressed by MS06-040” at the time Wednesday’s bulletin was released, but added that the MSRC “have not seen signs of widespread malicious activity so far.”

Both DHS and Microsoft emphasized that there is close coordination between DHS’ U.S. Computer Emergency Readiness Team (US-CERT) and Microsoft, which work together to limit the impact of any security vulnerability.

On the MSRC blog, Budd notes that Microsoft has “Emergency Response process teams watching for any possible malicious activity,” and “should a malicious attack occur, our teams are ready to assist our partners in law enforcement with their investigations.”