A Scary security flaw that would allow malicious worms to infect one PC and then automatically jump to others prompted Microsoft to release a rare out-of-cycle patch in October. The glitch is critical for both 32-bit and 64-bit versions of Windows XP and Windows Server 2003, and for Windows Server 2000, Microsoft says that targeted attacks exploited the hole prior to the patch's release, and that "detailed exploit code" is currently available online.

This marks the first time since April 2007 that Microsoft has released a fix outside of its normal Patch Tuesday cycle; the action was sparked by lessons learned from worm epidemics like Blaster and Slammer, which cost users billions of dollars to disinfect in 2003. Though the new hole is a huge risk, protections put in place since the worms surfaced make another epidemic far less likely. Most important is Windows XP's default-on Windows Firewall: A worm crafted to attack the new flaw would have to establish an external connection, which firewalls usually block. If a PC has no firewall, however, or if it is set up to permit file sharing and an attack comes from an infected PC on the same network, the conquering worm could take over the targeted PC, Business networks, which typically have many PCs configured for file sharing, are thus at high risk.

Windows Vista and Windows Server 2008 have mitigating factors that reduce the risk from "critical" to "important," as rated by Microsoft. The company distrib¬uted the fix via Automatic Updates; alternatively, you can download it manually (and read additional information about the issue)

IE Fixes, Too
On its regular Patch Tuesday schedule, Microsoft supplied fixes for six bad holes in Internet Explorer, underscoring the need to upgrade to IE 7 as soon as possible.
The wide-ranging flaws affect IE 5, 6, and 7 on Windows 2000, XP, Vista, Server
2003, and Server 2008, but they're most seri¬ous if you use an older version of IE on Win¬dows XP or 2000.

In those cases, an attack could run any command and have. its way with your PC. If you've upgraded to IE 7, the flaws permit miscreants to steal user names or other cookie-based data, but nothing more. Two of the bugs rated as most dangerous in Microsoft's new "exploitability index, assessment," which gauges how likely an attack is against a given vulner ability. Get the fixes through Automatic Updates, or download the patch (and read more info on the new exploitability ratings).

Insecure F-Secure

Once apain, security software has created an insecurity. If an F-Secure program ranging from Internet Security 2008 to Anti-Virus 2008 to Home Server Security 2009in versions dating to 2006-scans a poisoned compressed file, your system could be compromised. F-Secure says that no attacks have occurred, but if you use any of these versions, make sure that the app has acquired the latest updates (which should happen automatically).