"This one should be considered critical, and remotely wormable," said Marc Maiffret, the chief hacking officer at eEye Digital Security, the security company credited with the discovery.
"It's very similar to the vulnerabilities that ended up exploited by the Sasser worm or the MSBlast worm, or the Plug and Play vulnerability that led to Zotob. It's the same type of thing," said Maiffret.
The vulnerability, one of four in Microsoft's MSo5-051 bulletin, can be exploited without any user interaction, is contained within a Windows 2000 service that's enabled by default, and according to Maiffret, is "not technically challenging" to exploit.
August 2005's Zotob worm, which brought down some enterprise networks, also used a vulnerability in an enabled-by-default service in Windows 2000 to wreak havoc.
The bug is in the Microsoft Distributed Transaction Coordinator (MSDTC), a distributed transaction facility for Microsoft Windows, used by developers for such processes as updating data that resides in two more applications.
Microsoft was concerned enough about the bug to rate it "Critical," the highest warning ranking in its four-step scale, and to recommend "that Windows 2000 customer apply the update immediately."
Maiffret said that eEye had submitted several other bugs to Microsoft which were patched Tuesday. Unlike most security researchers, however, eEye tracks the time that's passed since it notified Microsoft, and posts the number of days for each vulnerability it uncovers.
The longest-running Microsoft bug, which was submitted to the Redmond, Wash.-based giant 196 days ago, was not included in the fixes offered up Tuesday. The flaw found in Windows 2000's MSDTC was first filed and acknowledged by Microsoft 95 days ago, on July 8.
"We have a good working relationship with Microsoft," said Maiffret. "We may disagree on a lot of things, especially how long it takes them to come up with a patch, but we agree on the most important thing, which is keeping customers protected."