The vulnerabilities are very similar to the one targeted by the Blaster worm, so it will take relatively little effort for copycats to churn out variants attacking the new holes, they said.
The flaws existed in the remote procedure call (RPC) protocol used by the Windows operating system. The first two are buffer-overrun vulnerabilities that could allow an attacker to take full administrative control of a victim's system. An attacker who exploited these flaws would be able to take a variety of actions, including installing malicious programs, deleting data or creating new accounts.
The third flaw is a denial-of-service vulnerability that could allow RPC services to hang and become unresponsive, said Microsoft.
"This vulnerability is reminiscent of the first RPC flaw and should be treated with the utmost urgency and priority by network administrators globally," said Marc Maiffret, co-founder of eEye Digital Security, one of the companies to discover the latest flaws.
The US Department of Homeland Security (DHS) also warned that exploits could soon be released. The agency yesterday issued an advisory warning users of the “potential for significant impact on internet operations” because of the vulnerabilities.
“DHS believes that exploits are being developed,” the advisory said.
In urging users to update vulnerable Windows versions as soon as possible, the DHS added that it was “concerned that a properly written exploit could rapidly spread on the internet as a worm or virus in a fashion similar to the Blaster worm”.
Dan Ingevaldson, engineering manager in the X-Force unit at Internet Security Systems, said his company was able to develop an exploit for the previous RPC vulnerability within 12 hours using just the information gleaned from the patch Microsoft issued to handle the flaw. "We always assume that if we can do it, there are others out there who can do it," he said
Jaikumar Vijayan writes for Computerworld