Among the over 100 vulnerabilities fixed by Microsoft this week during its monthly patch cycle is one that has the security community very worried. It’s a critical remote code execution (RCE) vulnerability located in the Windows Remote Procedure Call (RPC) runtime.
The flaw, tracked as CVE-2022-26809, can be exploited over the network with no user interaction, possibly using multiple protocols as a trigger. It’s the kind of vulnerability that gave life to major botnets in the past as some Windows processes use RPC to communicate with each other over networks.
“Patching is your only real fix for this vulnerability,” Johannes Ullrich, founder of the SANS Internet Storm Center, said in an advisory. “Don’t delay it. Patch now and apply the entire April update. It fixes several other critical flaws that may have a similar impact inside your network (e.g., the NFS [Network File System] flaw). You can’t ‘turn off’ RPC on Windows if you are wondering. It will break stuff. RPC does more than SMB [Server Message Block].”