Companies had about 26 days to patch their systems for the first RPC-DCOM vulnerability before a worm appeared. They will likely have a shorter window before new worms surface to exploit the new flaws, experts said today.
Microsoft announced on Wednesday two new vulnerabilities in the way many versions of Windows use Remote Procedure Call (RPC). They are very similar in scope and severity to the one announced on July 16, which was exploited by the Blaster and Nachi worms.
The new flaws are so similar that worm writers "may be able to just update or upgrade their exploit code," said Dan Ingevaldson, engineering director for Atlanta-based Internet Security Systems Inc.'s X-Force security monitoring operation. Since the first RPC flaw was announced, hackers have learned a lot about RPC and DCOM, so working with exploit code would be much easier, he said.
The flaws are in the RPCSS Service that handles RPC messages for DCOM (Distributed Component Object Model) activation. This interface handles DCOM object activation requests that are sent from one machine to another. RPC is a protocol that allows different systems to communicate with each other.
"There is plenty of code out there. All it would take are some minor changes to get it to work with the new vulnerabilities," said Jerry Brady, CTO of Guardent Inc., Waltham, Mass.
Guardent is predicting a worm will be created to exploit the new vulnerabilities soon -– perhaps even today. Creating such a worm wouldn't be hard, but the potential impact of it could be significant. The vulnerabilities are so similar that one can predict what a new worm would do by looking at Blaster's progress. For example, Blaster hit an estimated 900,000 to 1,000,000 machines. A new worm would have the potential to hit just as many machines.
Closer attention to RPC is also a good thing because security research groups found the new flaws by examining the protocol. "It makes sense that people started looking at the RPC code when the other vulnerability was found," Ingevaldson said.
Once exploit code for the flaws is public, it wouldn't take much for someone to create a worm from it. Several variants of the Blaster worm appeared to be created by less-than-crack worm writers who did little else than tweak the original code.
For example, the FBI arrested Jeffrey Lee Parson, an 18-year-old from Minnesota, for allegedly writing Blaster-B, which spread to about 7,000 systems. A Romanian university student was also arrested for writing another variant of the worm.
Some system administrators will likely be a perturbed about the new flaws because it will mean a new patch to install. "Patching systems are a big deal," Ingevaldson said. "I know of some companies that just finished installing the first patch. Now, they pretty much have to start at square one again."
Microsoft recommends users of vulnerable systems patch their systems as soon as possible. There are workarounds to reduce exposure to the flaws, but some could affect functionality. For example, users could block UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445 and 593 at the firewall.
Features such as COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, could be disabled. Disabling DCOM is another safeguard, though it could affect software. "Generally, we don't recommend companies shut it off [unless they are sure they don't need it]. It's there for a reason," Ingevaldson said.
FOR MORE INFORMATION:
FEEDBACK: Did the Blaster worm change your patching priorities?
Send your feedback to the SearchSecurity.com news team.