Critical Windows Flaw a Potential Springboard for Damaging Worm
- By Scott Bekker
Microsoft is feverishly trying to get users to apply a patch it released two weeks ago for a critical RPC vulnerability that affects most supported versions of Windows before a widespread worm based on the vulnerability can break out.
Several hacker sites last week published exploit code, an important precursor to the outbreak of a major worm similar to SQL Slammer or Nimda.
Microsoft took the unusual step of plastering notices about the vulnerability on non-security pages all over its Web site. The notices appear on the main Microsoft homepage and on several Windows-related Microsoft pages.
"Action for Windows users: Read Security Bulletin MS03-026, and install the security patch immediately," an alert headline in the upper right corner of Microsoft's homepage reads.
There have also been reports that Microsoft is issuing e-mail alerts outside of its normal security bulletin notification service to urge users to apply the patch, which was first posted on July 16.
The flaw is a huge problem because it can allow an attacker to remotely take control of a system. Affected platforms include Windows Server 2003, Windows 2000, Windows NT 4.0 and Windows XP. Windows 98 and Windows 98 SE are no longer supported and were not tested. Windows Me was found not to be vulnerable. Chinese and U.S.-based coders have already released exploit code that takes advantage of the vulnerability, and that code has been downloaded extensively.
The problem involves a buffer overrun vulnerability in the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. RPC is a protocol in Windows to allow a program on one computer to execute code on a remote system.
An attack would be similar to the highly damaging SQL Slammer and Nimda attacks, in that any worm written to exploit the problem would be released weeks or months after the patch was first issued.
A Gartner bulletin on Monday noted that there has also been widespread scanning of ports 135 and 445, which allow connections to Windows-based RPC services such as Active Directory. Gartner interprets the increase in scanning as another sign that a full-scale assault is imminent. "Enterprises should immediately ensure that Internet firewalls block the vulnerable services, use access control lists in routers to segment their networks and block the affected ports, and patch all Windows servers and desktops," Gartner analysts John Pescatore and Richard Stiennon wrote.
The Microsoft patch is available here:
Scott Bekker is editor in chief of Redmond Channel Partner magazine.