Microsoft VPN flaw may leave intranets open to attack