The critical RPC flaw in Windows, in theory, shouldn't be a major issue, but it likely will be, experts say.
It would be difficult to overestimate the potential dangers of the Remote Procedure Call (RPC) vulnerability. First, it's found in most versions of Windows, including the new Windows Server 2003. Second, when exploited, the flaw could allow attackers to gain control of systems. Finally, a common misconfiguration could leave many systems susceptible without users being aware of it.
Users of susceptible systems can protect themselves by applying the patch from Microsoft or by blocking the TCP port -- port 135 -- used by RPC. But history has shown that system owners are usually not as quick or thorough in the cases of such vulnerabilities as the attackers who seek to exploit them.
The potential severity involved has prompted the Polish research group that found the vulnerability to withhold the exploit code its members created. The Last Stage of Delirium (LSD) group normally releases such code to help users combat vulnerabilities.
"We are definitely aware of the enormous impact of this vulnerability," LSD said during an e-mail interview with SearchSecurity.com. The flaw lies in both server and desktop systems, which means that millions of systems could be vulnerable, the group said.
"In our opinion, the impact of this vulnerability cannot be compared to any other previous remote attack against the Windows operating system," the group said. "We believe that no remote vulnerability in history affected so many systems in practice."
The vulnerability is not in RPC, which is a commonly used protocol for allowing heterogeneous systems to communicate with one another. It lies in how RPC is implemented in Windows. The flaw is found in Windows NT, XP, 2000 and Windows Server 2003. When exploited, a buffer overflow is created that could allow remote attackers to run commands with the highest system privileges.
Companies who block the RPC port from the outside world with their firewalls aren't vulnerable to attack. However, many organizations probably have TCP port 135 open because it's activated by default on many Windows machines. Virtually no company needs that port open to the outside world, experts said.
If the port is open to the Internet, remote attackers can exploit it by sending a specially crafted RPC request. LSD said it has two proof-of-concept exploit codes that work. Interestingly, the group said it got the code to work on the new Windows Server 2003, even though it "was more difficult due to [the new] buffer overflow prevention mechanism," the group said.
The nature of the flaw makes it ripe for being exploited by a worm, said Tim Mullen, chief information officer and chief software architect for AnchorIS.com, a developer of accounting software. "A worm will exploit this vulnerability," he said.
The impact of a worm will perhaps serve as the only way to ascertain the scope of the vulnerability. One can compare the situation to last January's SQL Slammer worm. Slammer, which exploited a flaw in Microsoft's SQL Server, hit a lot of shops that didn't realize they had UDP port 1434 open externally, said Dan Ingevaldson, engineering director for Internet Security Systems' X-Force.
One stumbling block for any would-be worm writers would be the unavailability of exploit code for the flaw. Exploiting the vulnerability is not trivial, LSD said. It requires significant experience working with the internals of Windows operating systems. The group had to develop some unique exploitation techniques.
"However, we do think that there exist several groups or individuals capable of doing it, so exploit codes from various sources may be expected in the wild soon," the group said.
Some may interpret LSD's reluctance to release exploit code as a sign that the group doesn't actually have it. But Mullen doesn't buy that logic. "There is no question in my mind they have working code on this," he said.
In fact, Mullen questions whether LSD's not releasing the exploit code would make much difference. "Enough information has been released about the vulnerability that the people who are capable of writing the exploit code could now do it," he said.
FOR MORE INFORMATION: