Microsoft this week warned of a critical buffer overrun flaw in its Windows NT 4.0, Windows 2000, or Windows XP server that could allow an attacker to run his or her code of choice on a person's personal computer.

Marking the first security bulletins of 2003, the Redmond, Wash. software outfit also warned of vulnerabilities in its Content Management Server 2001 and Outlook 2002.

For the Windows domain flaw, Microsoft urged customers running Windows NT 4.0 domain controllers or Windows 2000 domain controllers to apply the patches in this bulletin as soon as possible.

"Customers should install the patch at the earliest opportunity on systems running Windows NT 4.0 (workstations and member servers), Windows 2000 (workstations and member servers), and Windows XP," the company said in a security bulletin.

Microsoft said the flaw, discovered by David Litchfield of Next Generation Security Software, resides in the software's Locator service, a name service that maps names to network-specific objects. For example, if a print server has the logical name "laserprinter," a client could call the Locator service to find out the network-specific name that mapped to "laserprinter". The Remote Procedure Call client uses the network-specific name when it makes the RPC call to the service. The Locator service ships with Windows NT 4.0, Windows 2000, and Windows XP.

The Locator service is enabled only on Windows 2000 domain controllers and Windows NT 4.0 domain controllers by default. The company also said a properly-configured firewall could block the calls to the Locator service, which would protect an affected machine from an Internet-based attack.

So how can an attacker with working knowledge of the Locater service exploit this flaw? By sending a specially malformed request to the Locator service, an attacker could cause the Locator service to fail, or to run code of the attacker's choice on the system.

Microsoft has also been informed of a security issue in its Content Management Server 2001 that could allow an attacker to run a malicious script on a Web site that is hosted via Content Management Server (CMS), a product used to create and manage Web sites. The script could allow an attacker to monitor the Web session and forward information to a third party; spoof information on the Web site; and read or write cookies belonging to the site. A secured update for CMS 2001 is here.

Lastly, the company alerterd the public to a security issue in the Outlook 2002 e-mail client that could lead some unencrypted e-mails sent, even if encryption had been selected.

This issue exists only when Outlook is used to connect to a Microsoft Exchange e-mail server, which is a configuration most likely to be found in a corporate network environment. Microsoft suggested users download a refreshed Office version here to obviate the flaw.