Hackers pounce on latest Microsoft flaw

Hackers have moved quickly to exploit the critical flaw in Microsoft's Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface.

Workable exploit code is now in circulation on hacking mailing lists. Earlier versions were ineffective but the latest code seems to be working.

Microsoft released a patch for the critical flaw on 16 July.

The vulnerability involves the RPC protocol, which deals with inter-computer communications. Microsoft warned that, under certain circumstances, the RPC might not properly check messages sent to the PC.

A malformed message could be routed through port 135 and used to run code on the infected PC. Windows Exchange Server 2003, XP, 2000 and NT 4 are all affected.

"This is a big one," said Gunter Ollmann, EMEA manager at X-Force Security Assessment Services.

"Various versions of exploit code are now available and doing the rounds for the vulnerability. ISS is on AlertCon 3 at the moment, and may be going up to level 4, our highest level.

"There is already talk in both the underground and other security forums of worm development using this vulnerability."

Initial reports from mailing lists suggest that, while the exploit code may run, it is still easily detectable.

Once exploitation is complete RPC/DCOM functions fail completely, affecting functions like drag and drop or using the clipboard. This makes any attempt at hacking highly visible.

"It's certainly a danger in terms of worm development," said Graham Titterington, senior analyst at Ovum.

"This is a fundamental flaw in the architecture and many people won't get round to patching it; that's just the way the world works."