Just weeks after inking a multi-million dollar deal to make Microsoft its primary software provider, the Department of Homeland
Security (DHS) has joined the drive to ensure security patches are applied
to vulnerable IT systems.
The agency increased the alert level on an advisory originally issued by
Microsoft on July 16 for a security
vulnerability in the Windows Remote Procedure Call (RPC) protocol that
could lead to code execution.
At the time of Microsoft’s original warning, security experts cautioned
that the flaw posed an “enormous threat.” The DHS confirmed the worst in
its own
advisory, warning that “several working exploits are now in widespread
distribution on the Internet.”
These exploits provide full remote system level access to vulnerable
computers…DHS and Microsoft are concerned that a properly written exploit
could rapidly spread on the Internet as a worm or virus in a fashion similar
to Code Red or Slammer,” the agency added.
David Wray, a DHS spokesman, said the agency has been monitoring the
situation and are in direct contact with the security community, as well as
with industry. “We’re seeing an Internet-wide increase in probing that could
be a search for vulnerable computers. It could be a precursor and it bears
continued watching… It certainly could be serious. It could lead to the
distribution of destructive, malicious code and it could cause considerable
disruption,” Wray added.
The decision by the DHS to drum up publicity for security patch
application, especially for ‘critical’ flaws, is seen as a direct response
to well-known complaints that IT administrators have not been vigilant about
installing fixes despite the clear danger of worms, viruses and intruder
attacks.
Security experts estimate that up to 50 percent of all enterprises could be sitting
ducks for hacker attacks because of unpatched, vulnerable computer
systems.
Now, with Microsoft as its main software
provider, the D.C-based Homeland Security department is joining the
drive to underscore the seriousness of the latest Microsoft
vulnerability.
“Due to the seriousness of the RPC vulnerability, DHS and Microsoft
encourage system administrators and computer owners to take this opportunity
to update vulnerable versions of Microsoft Windows operating systems as soon
as possible,” the agency added. (Microsoft updates, workarounds, and
additional information on RPC flaw are available here).
Independent research firms also joined the DHS in raising the alert for
the buffer overflow in the Windows RPC Interface. Ever since Microsoft
first warned of the flaw on July 16, security experts say hackers started
experimenting with the vulnerability almost immediately, and the rate of
system probes and online chatter about the vulnerability has been
skyrocketing.
“We’re very concerned,” says Dan Ingevaldson, an engineering manager with
Altanta-based Internet Security Systems, Inc. “Administrators have a window
of time to fix their systems, but that window is getting smaller… We think
there’s a risk here to the entire Internet.”
Ingevaldson notes that the vulnerability is unique in that it affects
both servers and desktops, expanding the reach of any exploit that takes
advantage of it. “We haven’t seen much of that before this,” says
Ingevaldson. ”It’s the first major vulnerability that crosses the line
between desktops and servers. It’s a core component of the operating
system,” he added.
Qualys, Inc., a security auditing and vulnerability management firm, has
rated the RPC flaw as the most critical one out there right now. Gerhard
Eschelbeck, CTO of Qualys, says it involves the most prominent protocol used
in the Windows environment and leverages highly exposed ports.
Sophos’ senior security analyst Chris Belthoff said there have not yet
been an increase in virus or worm activity but warned of a major increase in
system probes. Hackers are poking into computers and networks around the
world to see what systems are in place and what vulnerabilities haven’t been
patched.
Most experts agree that the exploit would come in the form of a worm,
since the vulnerability doesn’t lend itself to a Denial-of-Service
attack.
— Sharon Gaudin of sister site Datamation contributed to this article.