Microsoft patches critical hole in its RPC service

Microsoft has issued a non-routine security update to close a critical hole. This hole is an error in the RPC service which, according to the security advisory, can be exploited to insert code remotely into a system and run it. Crafted RPC requests are all that's needed to carry out such an attack. Under Windows 2000, XP and Server 2003, an attacker doesn't even have to authenticate himself on the target system in order to process the requests.

Microsoft is expressly stating that the hole displays potential for a worm. The MSBlaster worm, also known as Lovsan, spread through a similar hole in the RPC service in mid 2003, causing considerable damage. This, however, occurred in times when the firewall in Windows XP wasn't activated by default, so many unprotected PCs were attached both to the internet and to local networks.

Microsoft also says in its security bulletin MS08-067 that the first well directed attacks, in the course of which attackers have tried to penetrate systems through the hole, have already been made. Apparently no exploit has yet been seen. PCs with an active firewall are said to be secure against such attacks. Under Vista and Server 2008, moreover, prior authentication is necessary before the error can be exploited.

The erroneous code appears to have gone undiscovered for along time, and is even contained in the beta version of Windows 7. Microsoft has emphasised in the past that, as part of the Software Development Lifecycle (SDL), independent teams audit programming code both manually and with tools.

Microsoft recommends all users to install the update as quickly as possible. All Microsoft operating systems except Windows 2000 will be updated automatically if configured to do so.

See also:

• Vulnerability in Server Service Could Allow Remote Code Execution MS08-067 from Microsoft

(jbe)