The Blaster worm that exploits a hole in Microsoft's Remote Procedure Call (RPC) distributed component object model (DCOM) protocol is only using one of three possible exploits found in the code.
The vulnerability, a buffer overrun in a Windows interface that handles the RPC protocol was acknowledged by Microsoft in a security bulletin posted on July 16. The flaw affects several versions of Windows, including Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003, making potential targets of millions of desktop and server computers.
Christchurch-based virus expert Nick FitzGerald, who edits IDG Communications' email virus watch newsletter, says there are three possible exploits in the RPC core that could all breed viruses of their own should anyone be tempted.
"One of them is a remote arbitrary code execution, buffer overflow type problem in DCOM. One is a generic RPC denial of service and the third one I think only affects NT 4.0."
The first of these flaws, the MS03-026 flaw, allows a would-be hacker to gain control of a Windows system through a security hole in the DCOM (distributed component object model) interface. This flaw is at the heart of the Blaster or Lovesan virus that is currently battering networks around the world.
"The cynics amongst us were banking among one or the other [of the exploits] being widely attacked."
Microsoft New Zealand enterprise and partner group director Terry Allen says the flaw could potentially be as bad as the Code Red or SQL Slammer viruses. He also warns that any infected system won't be "cured" by simply installing the Microsoft supplied patch.
Yesterday Allen suggested users call the Microsoft services hotline (0800-800-004) before trying the patch. However, after being inundated with callers to the hotline, Microsoft this morning asked that users install the patch first and only call if they have further trouble with their systems.
Allen says the warning Microsoft sent out to patch servers earlier this week was pure coincidence and he had no prior warning that Blaster would hit yesterday.
Apart from the chaos such a worm will generate should it infect a network, the worm's only payload seems to be code that will launch a denial of service attack on the Windows Update site after August 15 through to the end of the year. Allen says he can confirm the target of the DOS attacks after Microsoft engineers have studied the virus but cannot say yet what solution Microsoft will put in place to avoid the attack.
Embarrassingly, the exploit affects Microsoft's Server 2003, one of the jewels in Microsoft's "trustworthy computing" plan, which saw all Microsoft engineers spending an entire month reviewing Windows source code for security holes and fixing them.
However, FitzGerald says Server 2003 still ships with such file sharing capabilities enabled.
"It's the supposedly ultra-secure, 'we turned everything off that's not critical' it's still a complete nightmare."
FitzGerald says even he struggles with the "features" that he wants to turn off.
"The problem with it is that it's really hard to prevent these services from binding to any network card in the PC. I have a laptop with a dial-up connection, an ethernet connection and a Wi-Fi card. When I've got my laptop plugged into my network in the office I want my laptop to see and be seen and do all the Microsoft network funky stuff with the other machines, but I don't want it to do those services on the dial-up or the Wi-Fi. I don't want that exposed to the world."
The Microsoft patch for the flaw can be found here.