News Stay informed about the latest enterprise technology news and product updates.

RSA: Unpatched RPC flaw hangs over Windows shops

A security researcher tells that a patch for a 4-month-old vulnerability in RPC may be on the way. That, however, doesn't lessen current exposure.

SAN FRANCISCO -- Some security experts have argued that the recent vulnerability in the ASN.1 parser library common to several flavors of Windows may be the biggest Microsoft flaw ever.

That's the case because any application that loads the library could serve as an attack vector.

But at least there's a patch for the flaw.

The same cannot be said for a vulnerability in Windows RPC that was reported to Microsoft in October. The flaw, which is different from RPC DCOM flaw that spawned the Blaster and Nachi worms, makes Windows XP and 2000 servers vulnerable to denial-of-service attacks because of a multi-threaded race condition that exists. A remote attacker could crash the RPC service simply by sending multiple RPC requests. The vulnerability occurs if two threads process the same request, thereby corrupting memory.

Microsoft still has not released a patch for the flaw, leaving nearly every Windows XP and 2000 system exposed to potential exploits. Microsoft may, however, be preparing an all-encompassing RPC patch that would address this issue and previous flaws surrounding the network service, said Gerhard Eschelbeck, chief technology officer with Qualys Inc., at RSA Conference 2004. RPC is a protocol that one program can use to request a service from another program located elsewhere on a network.

"This is a well-known problem. This is a variant of the other RPC flaws, and it is easily reproduced because there is an exploit out there that allows you to crash any Windows XP system," Eschelbeck told "This is serious."

Eschelbeck talked about his recent research on vulnerabilities during a panel discussion Tuesday at the conference. Drawing from two years of Internet data collected by Qualys' vulnerability assessment scanners, Eschelbeck said that vulnerabilities have a half-life of 30 days before they are addressed. Inside the enterprise, that number rises to 60 to 90 days, because of testing and deployment cycles. In the meantime, 80% of exploit code is available within 60 days.

He also said that vulnerabilities have an infinite lifespan. "Enterprises today are still using predefined images to roll out new servers. So what they do is roll out new servers with old patches installed [and without new patches]," Eschelbeck said.

Eschelbeck looked at 3 million IP scans for vulnerabilities and found 1.9 million critical flaws on systems, including 2,054 different flaws, and 1,175 that were critical.

"The time from vulnerability disclosure to exploit is getting shorter," he said. "[Thirty days] is significant exposure. We have to do everything we can to get that cycle shorter. I hope a year from now, I can say that my research shows that cycle [is] down to 15 days."

Eschelbeck also released a top 10 list of the highest-risk security vulnerabilities, which he said is updated automatically and continuously. As of Tuesday, the unpatched RPC flaw and the ASN.1 vulnerabilities were prominent on the list, as were two other RPC DCOM flaws, a hole in Microsoft's IIS Web server, WebDAV and Windows Messenger Service. Non-Microsoft flaws on the list included problems in Apache and Sendmail.


Click here for's coverage of RSA Conference 2004, San Francisco

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.