RealTime IT News

Homeland Security: Apply Those Patches!

Just weeks after inking a multi-million dollar deal to make Microsoft its primary software provider, the Department of Homeland Security (DHS) has joined the drive to ensure security patches are applied to vulnerable IT systems.

The agency increased the alert level on an advisory originally issued by Microsoft on July 16 for a security vulnerability in the Windows Remote Procedure Call (RPC) protocol that could lead to code execution.

At the time of Microsoft's original warning, security experts cautioned that the flaw posed an "enormous threat." The DHS confirmed the worst in its own advisory, warning that "several working exploits are now in widespread distribution on the Internet."

These exploits provide full remote system level access to vulnerable computers...DHS and Microsoft are concerned that a properly written exploit could rapidly spread on the Internet as a worm or virus in a fashion similar to Code Red or Slammer," the agency added.

David Wray, a DHS spokesman, said the agency has been monitoring the situation and are in direct contact with the security community, as well as with industry. "We're seeing an Internet-wide increase in probing that could be a search for vulnerable computers. It could be a precursor and it bears continued watching... It certainly could be serious. It could lead to the distribution of destructive, malicious code and it could cause considerable disruption," Wray added.

The decision by the DHS to drum up publicity for security patch application, especially for 'critical' flaws, is seen as a direct response to well-known complaints that IT administrators have not been vigilant about installing fixes despite the clear danger of worms, viruses and intruder attacks.

Security experts estimate that up to 50 percent of all enterprises could be sitting ducks for hacker attacks because of unpatched, vulnerable computer systems.

Now, with Microsoft as its main software provider, the D.C-based Homeland Security department is joining the drive to underscore the seriousness of the latest Microsoft vulnerability.

"Due to the seriousness of the RPC vulnerability, DHS and Microsoft encourage system administrators and computer owners to take this opportunity to update vulnerable versions of Microsoft Windows operating systems as soon as possible," the agency added. (Microsoft updates, workarounds, and additional information on RPC flaw are available here).

Independent research firms also joined the DHS in raising the alert for the buffer overflow in the Windows RPC Interface. Ever since Microsoft first warned of the flaw on July 16, security experts say hackers started experimenting with the vulnerability almost immediately, and the rate of system probes and online chatter about the vulnerability has been skyrocketing.

"We're very concerned," says Dan Ingevaldson, an engineering manager with Altanta-based Internet Security Systems, Inc. "Administrators have a window of time to fix their systems, but that window is getting smaller... We think there's a risk here to the entire Internet."

Ingevaldson notes that the vulnerability is unique in that it affects both servers and desktops, expanding the reach of any exploit that takes advantage of it. "We haven't seen much of that before this,'' says Ingevaldson. ''It's the first major vulnerability that crosses the line between desktops and servers. It's a core component of the operating system," he added.

Qualys, Inc., a security auditing and vulnerability management firm, has rated the RPC flaw as the most critical one out there right now. Gerhard Eschelbeck, CTO of Qualys, says it involves the most prominent protocol used in the Windows environment and leverages highly exposed ports.

Sophos' senior security analyst Chris Belthoff said there have not yet been an increase in virus or worm activity but warned of a major increase in system probes. Hackers are poking into computers and networks around the world to see what systems are in place and what vulnerabilities haven't been patched.

Most experts agree that the exploit would come in the form of a worm, since the vulnerability doesn't lend itself to a Denial-of-Service attack.

-- Sharon Gaudin of sister site Datamation contributed to this article.