Microsoft: Oops! We Did It Again.

“This is one of the most serious Microsoft vulnerabilities ever released,” said Marc Maiffret of eEye Digital Security of Aliso Viejo, California, which discovered the new Windows flaws. “The breadth of systems affected is probably the largest ever. This is something that will let you get into Internet servers, internal networks, pretty much any system.”

Maiffret said some computer systems that control critically important power or water utilities were vulnerable.

Maiffret predicted hackers will try to unleash a damaging Internet infection within weeks. Unlike earlier vulnerabilities that spawned such attacks, hackers can exploit the newly disclosed flaws to break into susceptible computers using dozens of methods, making any defense far more difficult.

“The race will be on,” agreed Marcus Sachs, a former White House adviser on cybersecurity.

Researchers at eEye discovered the problems last July and agreed to keep quiet about them until Microsoft could fix them. Maiffret complained that the delay between eEye’s discovery and Tuesday’s public disclosure by Microsoft was “just totally unacceptable” because Windows users were broadly vulnerable during the period.

Toulouse said Microsoft took months because it wanted to ensure that a single repairing patch solved any related problems. “We really took the steps to make sure our investigation was as broad and deep as possible,” he said. Maiffret and Microsoft said they were unaware anyone had yet attacked Windows computers using the technique, although eEye had successfully tested the method to break into its own computers.

The security update is available from this page.