Enterprises are accelerating their patching of the RPC-DCOM vulnerability following the rapid spread of a worm exploiting the well-publicized Windows flaw.
Blaster, also known as Lovsan and the RPC worm, started slowly circulating Monday and quickly picked up speed, infecting Windows machines around the world. Symantec's Security Response Team says it has identified more than 167,000 infected hosts that are continuing to attempt to spread the worm.
Microsoft provided a workaround immediately following the vulnerability's discovery three weeks ago. Shutting down ports 135, 139, 445 and 593 blocked systems from infection. Many enterprises were rolling out the patch that corrects the RPC flaw, but the fast-spreading Blaster caught many off guard.
"Enterprises were still on a two week roll out plan, and many enterprises were planning to be halfway rolled out by now," says Eric Schultze, executive director of product research and development at Shavlik Technologies. "Now, they're accelerating plans."
The RPC-DCOM vulnerability primarily affects Windows 2000 and XP, but may also affect Windows NT 4.0 and Windows Server 2003. Schultze says many enterprises are upgrading to Windows 2000 SP3, since Microsoft hasn't tested and doesn't support the patch for SP2.
Home and remote office users were particularly hard hit, since many don't have personal firewalls or install patches. Worst, infected machines brought into corporate environments allowed Blaster to circumvent the workarounds and infect corporate networks.
As of Tuesday night, Symantec and others say Blaster's propagation is slowing, but remains dangerous.
"The patch for the vulnerability is effective, and it's important to apply the patch," says Dee Liebenstein, group product manager for Symantec Security Response. "Just because Blaster is slowing down doesn't mean that the threat is gone. There's a chance for future variants."
For those infected, the CERT Coordination Center has also released steps for recovering from the worm's infection.