A new critical vulnerability that exists in many versions of Windows could allow systems to be remotely compromised...
and could be a fertile target for worm writers.
Microsoft, which has issued a patch, deemed the buffer overflow in Windows' implementation of Remote Procedure Call (RPC) critical.
The vulnerability is so severe that the Last Stage of Delirium (LSD), the Polish research group that found the vulnerability, isn't releasing exploit code for it, which is quite rare.
"Due to the enormous impact of this vulnerability, members of the LSD Research Group have decided not to publish codes or any technical details with regard to this vulnerability at the moment," the group said in an e-mail to SearchSecurity.com.
The group plans to release a more detailed description of the vulnerability "when its impact will be reduced through propagation of appropriate fixes."
The vulnerability is found in Windows NT, 2000 and XP. The flaw is also in Windows Server 2003 but not Windows 95 and Windows 98.
The flaw is not in RPC, which is a widely used protocol for allowing different operating systems to communicate with each other, said Dan Ingevaldson, engineering director for Internet Security Systems' X-Force. The problem lies in how it's specially implemented in the Windows operating system, he said.
Attackers can remotely exploit the flaw by sending a specially crafted RPC request to TCP port 135 on machines that are impacted. Corporations probably have the port plugged at the gateway, Ingevaldson said. Home users or smaller firms may have the port open to the Internet, which could leave them open to attack, he said.
There isn't any known exploit code in the wild for the flaw yet. LSD claims to have two working proof-of-concept codes, but the group hasn't released them yet. The group said its code allowed it to run commands on exploited systems with the highest system privileges.
The RPC vulnerability could be exploited by a network worm, much like the Slammer worm in January, Ingevaldson said. "In both cases there were ports open externally that never should have been," he said.
Coincidentally, a new worm this week began circulating that purported to be a critical patch from Microsoft. The Gruel worm is a mass-mailer that travels attached to a message. The worm doesn't seem to have gained much traction, but fears over the RPC vulnerability may prompt some users to click on the attachment.
Microsoft and other major software vendors as a rule do not send out patches as attachments. Instead, their alerts prompt users to go to a specific Web site to download patches or fixes from there.
The best way to protect against attack is installing the patch from Microsoft. Users with vulnerable systems can block TCP port 135 as a workaround. For most companies, this shouldn't be painful at all. "They really only need it open internally anyway," Ingevaldson said.