Microsoft apparently sat on a serious Windows OS vulnerability for six months before announcing the availability of a fix today. One analysts calls the latest exploit one of the "most serious Microsoft vulnerabilities ever released". "The breadth of systems affected is probably the largest ever," says Marc Maiffret of eEye Digital Security, the firm that first discovered the vulnerabilities. "This is something that will let you get into Internet servers, internal networks, pretty much any system."

The Microsoft advisory warns that a ASN.1 (abstract syntax notation) vulnerability could allow remote code execution on versions of the company's XP/NT/2000 operating systems. While there are no documented cases of attacks yet, security experts expect hackers to take advantage of the vulnerabilities in a matter of weeks or less. They also warn that the exploit's severity (and the potential in some cases for attackers to bypass firewalls) could make worms like Nimda and Code Red look like heavily sedated kittens compared to what's coming.

Maiffret tells the Associated Press the 6 month delay after the group notified Microsoft was "just totally unacceptable" because Windows users were left vulnerable. Microsoft security executive Stephen Toulouse says the company "took the steps to make sure our investigation was as broad and deep as possible." The patch is available via Windows Update. The exploit may bring renewed debate over whether or not making Windows Update an automatic feature is a good idea.