Research Reveals RPC Vulnerabilities to be the Main Target of Network Attacks in 2004

Infosecurity 2003, New York, NY — December 10, 2003 — Qualys™, Inc., the market leader of on-demand Network Security Audits and Vulnerability Management, today announced a year-end review of the RV10, a dynamic list of the ten most prevalent high-risk security vulnerabilities, updated automatically and continuously from the industry’s largest real-world vulnerability dataset. The RV10 trends indicate that Remote Procedure Calls (RPC), an essential component of client/server computing, will be the main target of worms and attacks in 2004 and impact systems beyond Windows, including Linux and other UNIX-based operating systems.

Gerhard Eschelbeck, CTO of Qualys, will disclose the RV10 trends and predictions today at a panel discussion he will lead at the Infosecurity 2003 Conference in New York City. Panelists will include Howard A. Schmidt, former cyber security advisor to the President; Mary Ann Davidson of Oracle; David Mortman of Siebel; and Jeff Moss of Black Hat. Pete Lindstrom of Spire Security will moderate the panel.

“RPC is at the heart of computing today, enabling distributed client/server applications across platforms,” said Gerhard Eschelbeck, CTO of Qualys and author of The Laws of Vulnerabilities. “This year, one-third of the most prevalent vulnerabilities were RPC-based. Next year, more than half will be RPC-based and will involve multiple operating systems. The pervasiveness of RPC will expand the breeding ground for next generation worms and attacks to heterogeneous environments.

“The mindset of organizations needs to change before an RPC worm with malicious payload is released,” said Howard A. Schmidt, former cyber security advisor to the President. “CSOs around the world are aware of this issue. We are now working to defend our critical infrastructure the best way we can, by developing an early warning system for comprehensive communication, continuous security assessments, and coordination between vendors and security researchers.”

Eschelbeck derived these trends and predictions from the industry’s largest real-world vulnerability dataset, an aggregation of critical vulnerabilities Qualys’ web service has detected from over three million scans during a two-year period.

2003 RV10 Trends:

• 3 of the 10 most prevalent vulnerabilities were RPC-based
• 8 of the 10 most prevalent vulnerabilities affected the Microsoft platform
• The current RV10 includes the vulnerabilities exploited by Nachi and Blaster; vulnerabilities exploited by Code Red and Slapper moved off the RV10

2004 RV10 Predictions:

• More than 50% of the most prevalent vulnerabilities will be related to RPC
• RPC-based worms will attack multiple operating systems simultaneously
• All vulnerabilities associated with high-impact worms will be listed on the RV10

About the RV10

The RV10 is a dynamic list of the ten most prevalent high-risk security vulnerabilities, updated automatically and continuously from a representative sample of thousands of networks. It is derived from the industry’s largest real-world vulnerability dataset aggregated from millions of scans performed by Qualys’ web service. The RV10 helps security administrators prioritize their remediation efforts by focusing first on the most dangerous vulnerabilities. The RV10 is a result of Gerhard Eschelbeck’s The Laws of Vulnerabilities, which identifies a direct correlation between the prevalence of a vulnerability and the appearance of a related exploit. The predictive capability of the RV10 was demonstrated within weeks of its creation: the Microsoft DCOM RPC vulnerability (MS03-026) debuted at number one on the index, and within less than two weeks the Blaster worm appeared and compromised networks worldwide.

The current RV10 is as follows:

• Microsoft IIS CGI Filename Decode Error Vulnerability CVE-2001-0333
• Microsoft IIS Malformed HTR Request Buffer Overflow Vulnerability CVE-2002-0071
• Apache Chunked-Encoding Memory Corruption Vulnerability CVE-2002-0392
• Microsoft Windows 2000 IIS WebDAV Buffer Overflow Vulnerability CAN-2003-0109 (Nachi)
• Sendmail Address Prescan Possible Memory Corruption Vulnerability CAN-2003-0161
• Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability CAN-2003-0352 (Blaster)
• Microsoft Windows DCOM RPCSS Service Vulnerabilities CAN-2003-0528
• Microsoft Messenger Service Buffer Overrun Vulnerability CAN-2003-0717
• Microsoft Windows RPCSS Code Execution Variant Vulnerability CAN-2003-0813
• Writeable SNMP Information No CVE assigned

About Qualys

With more than 2,000 subscribers ranging from small businesses to multinational corporations, Qualys has become the leader in on demand vulnerability management and policy compliance. The company allows security managers to strengthen the security of their networks effectively, conduct automated security audits and ensure compliance with internal policies and external regulations. Qualys’ on demand technology offers customers significant economic advantages, requiring no capital outlay or infrastructure to deploy and manage. Its distributed scanning capabilities and unprecedented scalability make it ideal for large, distributed organisations. Hundreds of large companies have deployed Qualys on a global scale, including AXA, DuPont, Hershey Foods, ICI Ltd, Novartis, Sodexho, Standard Chartered Bank and many others. Qualys is headquartered in Redwood City, California, with European offices in France, Germany and the U.K., and Asian representatives in Japan, Singapore, Australia, Korea and the Republic of China. For more information, please visit www.qualys.com.

Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.

Media Contact:
Tami Casey
Qualys
media@qualys.com