The vulnerability that Microsoft patched today with an out-of-band patch is about as serious as they come, allowing remote code execution on every supported version of Windows. The rare emergency patch–which is the first Microsoft has issued since early 2007–was prompted by the fact that the company has been seeing targeted attacks against the vulnerability on fully patched machines. The flaw, which is in the Server service, can be exploited through the use of specially crafted RPC requests, and the attacker does not need to be authenticated to exploit the weakness on Windows Server 2000, XP or Server 2003. But Microsoft officials said there are some mitigating factors in place on several versions of Windows. Specifically, Vista’s use of DEP and ASLR make it difficult for an attacker to exploit the flaw, and an attacker must be authenticated on both Vista and Server 2008 in order to reach the RPC service.
An unauthenticated attacker can trigger this vulnerability remotely for code execution on Windows Server 2000, Windows XP and Windows 2003. By default, Windows Vista and Windows Server 2008 require authentication. However, the attacker must be able to reach the RPC interface to exploit the vulnerability. In the default out-of-the-box scenario, the interface is not reachable due to the firewall enabled by default on Windows XP SP2, Windows Vista, and Windows Server 2008. Unfortunately, either one of the following two conditions exposes the RPC endpoint:
1) Firewall is disabled
2) Firewall is enabled but file/printer sharing is also enabled.
The new RPC flaw is causing flashbacks for many in the security community who remember the RPC DCOM vulnerability that the Blaster worm exploited in 2003. That worm hammered networks across the Internet and was one in a years-long line of worms such as Slammer, Code Red and Nimda. Those kinds of worms are largely a thing of the past now, but this latest vulnerability has all the makings of a worm hole.