Nearly a month to the day after the Blaster worm began tearing through the Internet looking for machines vulnerable to the RPC DCOM exploit, Microsoft Corp. on Wednesday said that there are three newly identified flaws in the RPC protocol in Windows, two of which are quite similar to the one that Blaster attacks.
The most recent vulnerabilities include two buffer overruns and a denial-of-service flaw, all of which are found in the RPCSS service. Specifically, the problems lie in the portion of the service that handles RPC messages for the activation of the Distributed Component Object Model (DCOM).
In all three cases, the vulnerability results from the failure of the RPCSS service to correctly handle malformed messages. An attacker who exploits one of the buffer overruns would be able to run any code he chose on a vulnerable machine. Exploiting the DoS flaw results in the failure of the RPCSS service.
This set of weaknesses is eerily similar to the one that Blaster has been exploiting since Aug. 11. The worm infected hundreds of thousands of PCs and numerous variants were released within a few days.
This new set of vulnerabilities may prove to be fertile ground for worm writers as well, experts say. According to members of Internet Security Systems Inc.s X-Force research team, the DoS vulnerability in the RPCSS service has been known in the cracker community since July and there is a working exploit circulating.
“The only thing thats changed since Blaster is maybe that theres more resistance built up in the networks now as far as filtering of port 135. But aside from that, the scope and seriousness are the same and the exact same conditions exist,” said Dan Ingevaldson, engineering manager for the X-Force at ISS, based in Atlanta. “This is really close [to the earlier RPC DCOM flaw].”
Like the flaw that Blaster exploits, both of the new buffer overruns affect Windows NT 4.0, 2000, XP and Windows Server 2003, and are rated critical. The DoS flaw is only present in Windows 2000, Microsoft said.
To remedy the vulnerabilities, Microsoft, based in Redmond, Wash., issued a new patch that supersedes the one it released to fix the earlier RPC DCOM issue. The company has also released a new scanning tool to determine which systems have the new vulnerabilities. This tool also replaces the one Microsoft wrote to find PCs at risk to the original DCOM flaw.
Discuss this in the eWEEK forum.