Microsoft has issued patches for 11 security vulnerabilities, five of them critical, in Windows, Office and the .Net Framework.
"By far, this is the top of the list this month," said Andrew Storms, director of security operations at nCircle Network Security.
MS07-039 patches a pair of bugs in Active Directory in Windows 2000 Server and Windows Server 2003. The most dangerous of the two in in Active Directory LDAP validation. According to Microsoft's write-up, "an attacker who successfully exploited this vulnerability could take complete control of an affected system."
"Definitely at the top of today's list," agreed David Dewey, a researcher with IBM Internet Security Systems' X-Force team. "It's definitely exploitable."
Dewey should know, since it was a colleague at ISS, Neel Mehta, who discovered the flaw last summer. "Neel's created proof-of-concept code in-house during the time we worked on this with Microsoft," said Dewey.
"It would certainly be worth the effort" to exploit this, added Storms. "Active Directory is in the centre of every Windows network. There's a lot in there, including the group policy objects that set security - and everything about every user."
Unlike most vulnerabilities, the Active Directory bug can be exploited without any user interaction, and on Windows 2000 Server, the older of the two operating systems, it can be attacked by an anonymous user. Although Windows Server 2003 may look safer at first glance - an attacker must have valid credentials to exploit the bug on that edition - looks can be deceiving, said Tom Cross, another X-Force researcher.
"In this case, the authentication requirements become less important," said Cross. "Anyone on the network - an employee, for example - would by definition have credentials."
Worse, said Cross, is that outside attackers could exploit this without a lot of trouble by bundling an MS07-039 exploit with a multi-strike attack that figures on compromising some fraction of enterprise laptops while they're outside the network. Once back inside the enterprise's perimeter, the Active Directory exploit could fire up - using the credentials of the hijacked notebook - to grab systems running the supposedly more secure Windows Server 2003.