A critical vulnerability in Windows RPC-DCOM, discovered July 16, ranks first among the most prevalent and dangerous...
vulnerabilities, according to a new list released Wednesday.
The list, compiled by vulnerability-scanning service provider Qualys Inc., Redwood Shores, Calif., includes many older vulnerabilities, but the RPC-DCOM flaw is prominent, despite its recent discovery.
The vulnerability is in the way Remote Procedure Call (RPC) is implemented in most versions of Windows. The flaw, associated with the Distributed Component Object Model (DCOM) interface with RPC, is found in Windows NT, XP and 2000, as well as Windows Server 2003.
The RPC-DCOM vulnerability is a typical buffer overflow. Attackers who send properly crafted RPC requests can gain control of susceptible systems. The flaw itself is certainly severe, but its pervasiveness makes it especially worrisome. Since it was announced, experts have predicted that a worm will be created to take advantage of it. Those predictions became even more dire last weekend, when code to exploit the vulnerability was posted on security mailing lists.
Systems administrators are now in a race against time to patch their systems or perform workarounds to reduce their exposure before a worm strikes.
Qualys created the Real-Time Top Ten Vulnerabilities list to alert systems administrators to the flaws they should address first. The company constructed the list from raw data it has collected during the last 18 months through its vulnerability-scanning service. Qualys chief technology officer Gerhard Eschelbeck analyzed the information and pulled out the 10 vulnerabilities based on prevalence and danger.
In addition to the RPC flaw, also prominent on the list are several holes in Microsoft Internet Information Server (IIS) and a hole in SSL version 2.
"I was really surprised, as it's so easy to fix," Eschelbeck said.
Qualys is not alone in creating a list of top vulnerabilities. Recently, Internet Security Systems Inc. created the "Catastrophic Risk Index," which identifies 31 exploitable vulnerabilities companies should focus on.
Perhaps the granddaddy of all flaw lists is the SANS/FBI Top 20 Internet Security Vulnerabilities List, which Qualys helps compile. Eschelbeck sees his company's list and SANS' as complementary. "The SANS list is more an expert opinion of the most critical vulnerabilities at a specific point of time," he said, noting that Qualys tries to keep its list updated so that it's relevant at all times.
"We are always monitoring the data, and if we see a change, then we'll change the list to reflect that," Eschelbeck said.
FOR MORE INFORMATION:
FEEDBACK: Do you think a worm exploiting the RPC vulnerability is inevitable, and have you dropped everything and patched the flaw?
Send your feedback to the SearchSecurity.com news team.