Microsoft today released a critical alert warning of three vulnerabilities in how Remote Procedure Call is implemented in Windows. Users of vulnerable systems should patch their systems immediately or take some preemptive measures.
If history is any lesson, then the vulnerabilities will be exploited. Last month, the Blaster and Nachi worms exploited another vulnerability in RPC-DCOM. Microsoft announced the flaw on July 16. Less than a month later, Blaster appeared.
Two of the vulnerabilities, which are buffer overflows, could allow remote attackers to run code on exploited systems, Microsoft said in its advisory. The third could trigger a denial-of-service affect on vulnerable systems.
The buffer overflow vulnerabilities are found in Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003, according to Microsoft. The denial-of-service flaw is found only in Windows 2000.
Information about the DoS flaw has been on security mailing lists for weeks, but this is the first time Microsoft has offered a fix for it, said Dan Ingevaldson, engineering director for Internet Security Systems Inc.'s X-Force security monitoring operation. The other two are new vulnerabilities but are very similar in scope and origin to the one announced in July. The similarities ease protection but also aid attackers.
For example, there is probably still a lot of residual protection out there such as blocking port 135, which is used by RPC, Ingevaldson said. ISPs started filtering traffic when Blaster broke so this also could thwart attempts to exploit the new vulnerabilities.
On the other hand, attackers have also had time to study RPC thus making it easier for them to create a worm to target the new flaws. "They may be able to just update or upgrade their exploit code," Ingevaldson said.
The flaws are in the RPCSS Service that handles RPC messages for DCOM (Distributed Component Object Model) activation. This interface handles DCOM object activation requests that are sent from one machine to another. RPC is a protocol that allows different systems to communicate with each other.
The vulnerabilities are triggered when malformed RPC messages are processed by vulnerable systems. When this is done, attackers could gain local system privileges. Such system access means they could do anything from installing programs to manipulating data.
Stephen Toulouse, security program manager at the Microsoft Security Response Center, said that the software giant discovered the vulnerabilities internally during a code review. However, the problems were also reported by eEye Digital Security, NSFOCUS Security Team, and Xue Yong Zhi and Renaud Deraison from Tenable Network Security. "It makes sense that people started looking at the RPC code when the other vulnerability was found," Ingevaldson said.
Microsoft recommends that users of vulnerable systems patch as soon as possible. In the meantime, there are workarounds that companies can consider such as blocking the ports used by RPC and shutting off DCOM, though this could affect functionality. RPC is not just a peripheral service run by Windows but is in the operating system itself. "You can't just flip a switch and turn it off," Ingevaldson said.
FOR MORE INFORMATION: