Exploits of this vulnerability do not require any user interaction. The systems most at risk for exploit are workstations and servers that allow access to Server services through host-based firewalls. All systems hold the same risk, regardless of the affected operating system, as the Server service on each affected version runs with SYSTEM privileges.
An unauthenticated, remote attacker could exploit this vulnerability on Windows 2000, Windows XP, and Windows Server 2003 systems to execute arbitrary code. Microsoft rates this vulnerability as critical on these systems. However, on Windows Vista and Windows Server 2008, the rating is important because the attacker must have authenticated access to the targeted network, reducing the likelihood of attacks on these systems.
Default configurations of Windows XP SP2/SP3, Windows Vista, and Windows Server 2008 protect the RPC interface with the Windows Firewall. However, if the Windows Firewall is disabled, or if file or printer sharing has been enabled, the system will still be vulnerable to an attack.
The compromise of a Windows Server system fulfilling the role of an Active Directory domain controller could allow an attacker to gain access to the stored credentials of user accounts within the domain. If an attacker could retrieve and decrypt those credentials, the attacker could gain access to other resources within the affected site.
Exploit code is publicly available, and the Troj/Gimmiv-A worm is also actively exploiting this vulnerability to install itself on target systems. Additional information on the worm is available in Alert 16947.
Microsoft corrects this vulnerability by improving the way the Server service handles RPC requests.
The Cisco Applied Intelligence team has re-released the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: Cisco Applied Mitigation Bulletin: Out-of-Band Microsoft Security Bulletin for October 23, 2008