ISS just announced a vulnerability they discovered where the RPC service can go into a multi-threaded race condition when processing RPC requests.

See it here: http://xforce.iss.net/xforce/alerts/id/155

Microsoft has not yet released patches to address the vulnerability
I'm pissed that there's yet another RPC vulnerability but even more upset at ISS for announcing it BEFORE M$ has a patch released.

Not trying to open the vulnerability disclosure can-o-worms here (pun intended?) but how irresponsible on part of ISS! Now, nobody call me a hipocrit please, because I am posting this info: it's already public (on ISS's web site and sure to spread) --we as security practitioners need to be aware!

ISS claims they are releasing this info due to "publicly available expoit tools are in circulation":

Microsoft was notified by ISS X-Force on October 13, 2003 in response to public discussions of the vulnerability and inaccurate assessments of its scope. Additionally, disclosure of this vulnerability was accelerated because publicly available exploit tools are in circulation to demonstrate the DoS condition.
So the question is....do you release the announcement after an exploit is in the wild or after the patch has been issued?...ponder that a bit...