In its September patch announced Tuesday, September 8, Microsoft has released five Security Bulletins for addressing eight vulnerabilities; but has, at the same time, left three zero-day vulnerabilities - which can lead to denial-of-service (DoS) attacks - open for abuse!

While two IIS vulnerabilities were made open to public last week after the exploitation code was posted online; the exploit code of the third zero-day vulnerability, which affects the Microsoft Server Message Block protocol 2.0 (SMB), was posted on Monday.

Though a SANS Institute report said that exploitation of the critical SMB flaw would enable hackers to remotely crash a user's system by running the Monday-posted ‘proof-of-concept’ code; experts are of the opinion that the flaw would not have much effect on most computers if their firewalls are functioning properly.

Saying that a denial-of-service attack would largely aim at a specific business or organization, SANS researcher Guy Bruneau advised IT administrators to turn off file-sharing protocol and ensure that firewalls filter access to port TCP 445.

Nonetheless, noting that Microsoft has not issued an advisory about the SMB flaw, Andrew Storms, security vendor nCircle’s director of security operations, remarked: “The SMB vulnerability doesn't appear to be the biggest risk at the moment. Right now it's only a denial of service. The word 'only' is the key point -- the seriousness really depends upon the organization.”