This week, Microsoft was forced to issue an emergency patch, even though as we all know, this is not the usual time of the month when the company releases a patch. However, the measure was necessary after a vulnerability in the Server service was reported.

According to Microsoft, the security update solves the vulnerability, which allowed remote code execution on users’ computers. The Microsoft Windows 2000, Windows XP and Windows Server 2003 systems are all affected, and users have been advised to apply the patch immediately.

The company rates as critical the vulnerability on the systems mentioned earlier, and as important on Windows Vista and Windows Server 2008.

The vulnerability allows a remote code execution if an affected system receives a specially designed RPC request, Microsoft explained. The vulnerability could be used to craft a wormable exploit, however the patch corrected the way the Server service handles RPC requests.

The company said the issue was also reported on Windows 7 pre-Beta, however the vulnerability is not liable to be triggered on this system if the attacker is not authenticated.

Microsoft’s Security Program Manager Michael Howard explained in a blog posting that the bug is a stack-based buffer overflow inside a loop, and that finding buffer overruns in loops is quite hard to do.

Furthermore, Howard also said that “our fuzz tests did not catch this and they should have.” But on the other hand, with all the new security advancements, some bugs still remain hard to find, he said. However, they will continue to update their fuzz testing heuristics.