Some observers have compared the critical Windows RPC-DCOM vulnerability to the SQL Server flaw that empowered the Slammer worm in January. There are similarities but there is a noticeable difference: patching the RPC flaw is much easier.
The patch for the RPC-DCOM, available since July 16, isn't particularly difficult to install, experts said. It's not nearly as hard as installing a Service Pack. "We have had no reports of blue screens or other problems," said Dan Ingevaldson, engineering director for Internet Security Systems Inc.'s X-Force security monitoring operation.
"It's a pretty easy patch to install," Ingevaldson continued. "But that is an engineer talking. I am not sure how my mother or grandmother would find installing it."
Luckily for the Mothers Ingevaldson, Windows XP's automatic update feature can handle that task, which could help minimize the vulnerability of many home users.
SQL Server users didn't have such an easy option but they did have six months to patch before Slammer struck. The issue was the SQL Server patch was difficult to install, especially for remote machines as files had to be copied and pasted, system administrators said at the time.
Also, Slammer was so successful (it took only 10 minutes for it to spread to 90% of vulnerable systems) because many companies unknowingly had UDP port 1434 open to the external world. The worm could shoot out copies of itself to those ports thus infecting more systems.
Users can learn a lesson from Slammer. Blocking certain ports would prevent exploitation of the RPC-DCOM vulnerability, either manually or by a worm. The Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh recommends blocking external access to the following ports: TCP 135, UDP 135, TCP 139, UDP 139, TCP 445 and UDP 445.
Generally, companies shouldn't experience many problems with blocking those ports at the perimeter. But companies could also face a threat if they are left open internally, which some companies need. A telecommuter who uses a VPN connection to access the main network could be the weakest link in the security chain as affected ports would be open, Ingevaldson said. Often remote employees don't have the same level of security protections so they are more likely to become infected by a worm.
Organizations that take a more proactive approach to security won't need to fear being hurt by the vulnerability, said Gary Morse, president of Razorpoint Security Technologies, which conducts penetration tests for companies. Hardening operating systems and using intelligent firewalls that can analyze traffic at a deeper level would help, he said.
Issues such as the RPC vulnerability highlight a flaw in the way many companies think about security. "The mindset is to block a port because it's bad," said Tim Mullen, chief information officer and chief software architect for AnchorIS.com, a developer of accounting software. "You should only open the ports you need and block everything else."
FOR MORE INFORMATION:
SearchSecurity.com news exclusive: "Windows RPC exploit code published"
FEEDBACK: Do you think a worm exploiting the RPC vulnerability is inevitable, and have you dropped everything and patched the flaw?
Send your feedback to the SearchSecurity.com news team.