Microsoft's Newest Bug Could Be Awful, Researcher Says

"Slammer was bad because it was fast and quick," said Litchfield, referring to a rapidly-spreading network worm in early 2003 that caused an estimated $750 million in damages and repair costs. "All business relies on e-mail, so while an exploit here may not be as fast [as Slammer] in the way it spreads, the financial cost could be far greater."

Although both NGS and Microsoft have withheld technical information about the vulnerability, Litchfield didn't hold out much hope of that stymieing hackers.

"We always withhold all technical information for 90 days, but that's not going to prevent people reverse engineering the Microsoft patches," he said. The practice is, in fact, common; attackers often have no idea that a vulnerability exists until a patch is released. By examining the fix, they can often backtrack to the bug, then figure out how to exploit it.

"I wouldn't be shocked to see proof-of-concept or exploit code within a week," said Litchfield.

"If you didn't patch yesterday, you'd better patch today."