A critical vulnerability in Windows RPC-DCOM, discovered July 16, ranks first among the most prevalent and dangerous vulnerabilities, according to a new list released Wednesday. The list, compiled by vulnerability-scanning service provider Qualys Inc., Redwood Shores, Calif., includes many older vulnerabilities, but the RPC-DCOM flaw is prominent, despite its recent discovery.

The vulnerability is in the way Remote Procedure Call (RPC) is implemented in most versions of Windows. The flaw, associated with the Distributed Component Object Model (DCOM) interface with RPC, is found in Windows NT, XP and 2000, as well as Windows Server 2003. The RPC-DCOM vulnerability is a typical buffer overflow. Attackers who send properly crafted RPC requests can gain control of susceptible systems. The flaw itself is certainly severe, but its pervasiveness makes it especially worrisome. Since it was announced, experts have predicted that a worm will be created to take advantage of it. Those predictions became even more dire last weekend, when code to exploit the vulnerability was posted on security mailing lists.