Microsoft has warned of critical flaws in nearly all versions of its Windows operating systems. According to the company, the flaws could leave millions of computers vulnerable to attack.
While computers would still be protected by firewalls and blocked ports, security experts expressed concern that the widely used Microsoft software is likely to be a big target for attackers.
“It’s really critical in nature,” ISS X-Force vice president Chris Rouland told TechNewsWorld. “We’re talking about a several-million user population that is vulnerable to a remote compromise in the default [OS settings].”
The vulnerability, discovered by a research group known as the Last Stage of Delirium, involves a Remote Procedure Call (RPC) protocol that lets a remote machine execute code in the Windows OS.
The LSD group reports that remote attackers could gain remote access and system privileges by sending malformed RPC messages using the Distributed Component Object Model (DCOM) services, an RPC interface that listens on TCP/IP port 135.
“By sending specially crafted messages to the TCP port 135 of vulnerable Windows systems, an attacker can exploit the vulnerability and execute any code with system privileges,” the LSD group said in a statement.
Microsoft, which released patches for the affected software in a bulletin, described the flaw as critical for all of its recent operating systems, including Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003.
In addition to the patches, Microsoft said that port 135 normally is blocked by a firewall for Internet-connected computers. The software giant advised blocking all TCP/IP ports that are not actually being used.
Despite mitigating factors, security experts said that because of the widespread distribution of Microsoft operating systems, a worm that takes advantage of the latest flaw is likely to be released.
“There’s a very high probability that a worm will be developed to take advantage of this exploit,” Rouland confirmed. “That’s due to the nature of this being a widespread vulnerability, easily exploitable and with code already out there – someone could integrate this with the Slammer worm in a few hours.”
Gartner vice president of research Richard Stiennon agreed, telling TechNewsWorld that a worm might rapidly make its way through the vast number of affected Microsoft systems.
“This is where a fundamental vulnerability in the OS is going to leave every system out there susceptible to the next Slammer,” Stiennon said. “It’s going to be very fast. I don’t think that there’s going to be enough time to get this one. It could be less than a month before the worm hits.”
Rouland, who said businesses and end users are likely targets because of enterprise security efforts, indicated the flaw is not a failure of Microsoft’s two-year-old Trustworthy Computing initiative.
“This is an old piece of code that predates this effort,” Rouland said, adding that the most recent Windows Server 2003 code is less susceptible to exploitation of the flaw.
Stiennon – who expressed surprised that Windows Server 2003 is vulnerable because it seemed to have incorporated the best of Microsoft’s development, security and quality assurance efforts – said the latest software’s limited deployment mitigated the seriousness of the flaw in Server 2003.
However, Stiennon was critical of Microsoft’s proprietary code, which he said limits control of ports on a Microsoft network.
“I don’t think this is a black eye for the process in place, but it is a black eye for Microsoft architecture, which relies on a lot of nailed-up protocols,” he said.