There is not much that we know for sure about this vulnerability, but what we do know is that it has been deemed “critical”, and it may allow a worm to find its way onto your computer without you realizing it. The worst thing is that there isn’t a specific set of actions that will trigger the worm. Some are speculating that the security hole can allow remote code execution on the targeted machine.

A total of five operating systems are affected: Windows 2000, XP, Server 2003, Windows Server 2008 and Vista. For the last two OSs the vulnerability has been deemed “important” and not “critical”. According to the timetable provided by Microsoft, the fix will be released today, the 23rd of October, 6pm BST. Three hours later the security experts from the Microsoft team will provide more info on the subject, in a worldwide webcast.

This is an out-of-band security update, which is a pretty rare thing with Microsoft. The Patch Tuesday cycle (which means that Microsoft releases all the updates once per month, on the second Tuesday of the month) is rarely broken, unless there is a more serious problem, such as individuals maliciously exploiting the vulnerability. The last time that Microsoft broke the cycle was back in 2007, in April, when there was an issue with the way Windows handled .ani files.

To tell you the truth, I get goose bumps and my hair stands on ends whenever I hear this two-word combination: critical vulnerability. Keep in mind that this security issue is directly related to the Windows OS, so until Microsoft releases that fix, an attacker could have a field day. If the vulnerability had affected some utility software, then I wouldn’t be so concerned. At least the details regarding this particular vulnerability are not freely circulating on the internet, which gives me some piece of mind.