The Lovsan worm last month caused more than $1 billion in damages and lost productivity, but it could have been...
much worse, according to the group that discovered the vulnerability exploited by the worm. The Last Stage of Delirium (LSD), a Polish security research group, discovered the flaw in how Remote Procedure Call (RPC) is implemented in Windows. The group considered it such a grave vulnerability that it didn't release the exploit code for the flaw when it released an advisory July 16. In this e-mail interview with SearchSecurity.com, the group describes why it thinks the resulting worms weren't as bad as it feared and predicts whether other worms will target the vulnerability. The group also addresses the new vulnerabilities in RPC-DCOM announced last week.
Were you surprised when you heard last week that other vulnerabilities were found in RPC-DCOM on Windows?
Last Stage of Delirium: Other vulnerabilities in Microsoft RPC were highly expected, so in this context, these vulnerabilities can hardly be considered surprising. However, the surprise is that these vulnerabilities are also located in the DCOM interface, which should have been cleared. Unfortunately, after finding the first RPC-DCOM vulnerability, we did not perform the complete analysis of the subject.
How severe do you think the new vulnerabilities are?
LSD: At this moment, we are not able to clearly estimate the impact of these vulnerabilities. The key issue here is if they are also fully exploitable in real environments, like the vulnerability that we found. The appearance of a potential worm that would use these vulnerabilities and pose a real threat to common users depends critically on this issue.
When you announced the first RPC-DCOM vulnerability, you held off on releasing exploit code and technical details because of the 'enormous impact of this vulnerability.' Did the resulting worms that exploited the flaw live up to your fears?
LSD: Fortunately, the known worms that exploited [the] RPC-DCOM vulnerability turned out to be definitely less severe than we had feared. First of all, they are not advanced from a technological point of view. For example, they are not using any techniques for hiding themselves. Secondly, what is probably more important, these worms are not especially malicious ones. In [the] case of [the] original worm, the biggest potential damage was connected with attempts to perform denial-of-service attacks against Microsoft, which eventually failed. Further modification, aimed at installing backdoor solutions, infected only a limited number of systems.
In context of [the] potential impact of the RPC-DCOM vulnerability and the number of originally vulnerable systems, the overall damage should not be considered as severe. The technologically advanced and more hostile worm could have caused much bigger harm.
There have been some reports that the writer of Lovsan/Blaster used posted exploit code in the worm. Some might say the writer of exploit code should take part of the blame for the worm. How would you reply to such an accusation?
LSD: The exploit code, as well as a worm using it, were unavoidable. Publishing a patch for a software vulnerability is in practice equal to publishing the technical details for this vulnerability, as they can be usually easily obtained through comparative analysis of a vulnerable system and a patched one. There are many skilled researchers and groups in the world capable of developing proof-of-concept codes based on such technical information within hours.
We have decided not to publish the technical details for this vulnerability, and we think we made a right decision -- the patch was available several days before the proof-of-concept code, and even more days before first worm. The publicly available exploit code obviously facilitated development of the worm, but it also allowed developers of antivirus and IDS solutions to prepare appropriate signatures and updates.
Do you think worm writers will continue to create worms that exploit the RPC vulnerability?
LSD: It is not likely. The RPC-DCOM vulnerability was widely discussed in [the] media, and [the] impact of this vulnerability has been significantly reduced. Of course, this vulnerability will be still used, but rather not by worms designed specially for this bug ... but by worms equipped with modules for many different attacks (exploiting different vulnerabilities).
Will worm writers try, for example, something that hits Windows Server 2003? Or will they move on to newer vulnerabilities?
LSD: It is very unlikely that worm writers will focus on exploiting Windows Server 2003 with this specific vulnerability. Exploitation of [the] RPC-DCOM bug in the case of Windows 2003 may be considered as a challenge from technical point of view, yet this system is not so attractive as a target for worm writers. This system is not very popular yet and, as installations of this system are relatively new, so most of them are probably highly secure. The impact of a worm would be therefore very limited and worm writers will rather focus on newer vulnerabilities.
Do you find it frustrating that you warned people of the flaw, but so many didn't patch their systems immediately?
LSD: No one should expect all people to apply patches, even in a case like this, when the vulnerability is widely discussed, not only in [the] security community. Unfortunately, the lack of security awareness is still one of major problems in security. It is not only about appropriate technologies. In this specific case, we did our best and we really have no reason to be frustrated.
FOR MORE INFORMATION:
FEEDBACK: Was LSD correct in withholding exploit code and technical details on the RPC-DCOM vulnerability?
Send your feedback to the SearchSecurity.com news team.