That update, also rated critical, patches just one vulnerability in the Remote Desktop Protocol (RDP), a Windows component that lets users remotely access a PC or server. RDP is frequently used by corporate help desks, off-site users and IT administrators to manage servers at company data centers and those the enterprise farms out to cloud-based service providers.
Most researchers were worried about the RDP bug.
"This is potentially wormable," said Storms.
"Definitely wormable," echoed Miller.
The vulnerability, dubbed CVE-2012-0173, could be exploited by an attacker who simply sends specially crafted data packets to a system with RDP enabled, said Microsoft. All versions of Windows, both client and server, are affected, ranging from Windows XP SP3 to Windows 7 SP1.
Researchers had a sense of deja vu.
Microsoft patched a very similar RDP vulnerability in March with the MS12-020 update. At the time, Miller said he was "spooked" by the bug and its potential exploit in a network-attacking worm. Storms said it "had all the ingredients for a classic worm."
But there was more to the story: Just three days later, Italian vulnerability researcher Luigi Auriemma, who in May 2011 had discovered one of the just-patched RDP bugs, accused Microsoft of leaking his proof-of-concept (PoC) attack code to Chinese hackers.
Auriemma had submitted that PoC to a Hewlett-Packard bug bounty program to demonstrate the flaw; HP had in turn passed it along to Microsoft.
But Auriemma found the exact same code on Chinese forums and websites, some of them known hacker hangouts.
Seven weeks later, Microsoft tossed one of its Chinese partners, Hangzhou DPTech Technologies, from an information-sharing program it hosts for scores of antivirus firms. Microsoft said that DPTech had "breached our non-disclosure agreement" as it pinned the leak on the firm.
"It looks like Microsoft investigated further after patching the bugs in March and found this one," said Storms.
Amol Sarwate, manager of Qualys' vulnerability research lab, agreed. "Actually, this is quite common," said Sarwate of Microsoft's discovery of another flaw in code proven to have a vulnerability.
Theoretically, enterprises using RDP would have followed Microsoft's advice in March to lock down their networks by blocking ports at the firewall or enabling Network Level Authentication, or NLA, to force authentication before an RDP session begins. Doing so would block exploits of both the March and June bugs.
Miller wasn't optimistic IT administrators had done that. "Unless the mitigations come through with a patch, they're hard pressed for time to do it manually," Miller said. "But RDP should only be available to machines on your local network."
Exactly, added Pierluigi Stella, chief technology officer at Network Box USA, a Houston-based Internet security firm.