21 November 2002 Microsoft has published its 65th security bulletin of the year, admitting that a serious flaw in its web server, its Internet browser and most versions of its operating systems could affect millions of business users and ordinary consumers.

The US software giant yesterday urged users of its Internet Information Server web server, Internet Explorer browser versions 5.01, 5.5 and 6.0 and Windows 2000, Millennium, 98 and 95 operating systems to immediately download a software patch from its web site. Windows XP, its newest operating system, is not affected by the flaw.

The vulnerability, discovered by Californian security company Foundstone, could allow an attacker to take over a web server, spread an email virus, create a fast-spreading network ‘worm’ or even format a hard drive.

It affects versions 2.1, 2.5 and 2.6 of the Microsoft Data Access Components (MDAC), a collection of components that provide database access for Windows platforms. It involves an ‘unchecked buffer’ in the Remote Data Services component of MDAC.

Microsoft rated the flaw as ‘critical’ – the most urgent of its new security categories, above ‘important’, ‘moderate’ and ‘low’.

“There are millions of systems and clients that will be affected by this,” said George Kurtz, Foundstone’s CEO. “This is huge.”

Foundstone discovered the vulnerability in August 2002 and disclosed the information to Microsoft at the time, he added.

Customers are advised to review the appropriate security bulletin, MS02-065, on Microsoft’s web site and then download and install the software patch.