Microsoft is urging users to patch their systems after the discovery of three new vulnerabilities in its version of the open source Remote Procedure Call (RPC) protocol, as detailed in Microsoft Security Bulletin MS03-039. This should be considered a particularly serious threat because it exploits a vulnerability that is similar to the one that allowed the Blaster worm to spread so quickly.
Details
RPC is a protocol used to allow one computer to access another with no special intervention from the user. Microsoft has modified the RPC protocol by adding Microsoft Windows-specific extensions.
The problem lies in the portion of RPCSS that involves Distributed Component Object Model (DCOM)—better known in the past as Network OLE. A malformed message sent to the service can result in a buffer overrun.
Two earlier DCOM-related Security Bulletins—MS03-026 (July 6, 2003, "Buffer Overrun In RPC Interface Could Allow Code Execution") and MS01-048 (Sept. 10, 2001, "Malformed Request to RPC Endpoint Mapper can Cause RPC Service to Fail")—included patches that have been superseded by the ones provided in this latest bulletin.
RPCSS normally monitors UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593, but it will also monitor ports 80 and 443 if COM Internet Services (CIS) or RPC over HTTP is enabled.
Applicability
This vulnerability is found in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. Microsoft reports, "RPCSS is enabled by default in all versions of Windows." The version of RPCSS that shipped with Windows Me is not affected by this vulnerability.
Risk level—moderate to critical
MS03-039 covers three vulnerabilities. Exploitation of two of them could result in the ability of the attacker to run any arbitrary code on the vulnerable system with local system privileges, while the other is slightly less dangerous, resulting in a denial of service event.
The vulnerabilities have been assigned the following universal Mitre CVE candidate designations:
- The buffer overruns: CAN-2003-0715 and CAN-2003-0528
- The DoS threat: CAN-2003-0605
Mitigating factors
Proper firewall configuration should mitigate outside attacks, but that's about all the good news.
Fix—apply patch or workarounds
The patch in MS03-039 also replaces the one provided just a few weeks ago with MS03-026. Knowledge Base article 827363 includes more information about this vulnerability and offers a link to the KB824146scan.exe tool, which can be used to determine whether a system is vulnerable to these flaws or has already been patched.
A number of workarounds can be applied to reduce the risk until you get a chance to install the patch. Microsoft lists the following steps for protecting unpatched systems, but most will seriously degrade usability on many networks.
You can configure network firewalls to block UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593. Since it isn't normally practical to block port 80, you also need to disable CIS and RPC over HTTP. Although those are the default ports, other RPC ports may have been specifically configured and must also be blocked. Knowledge Base article 825819 explains how to disable CIS. See RPC over HTTP Security for additional information.
Remote PCs using a VPN connection to access the corporate network can be protected with a personal firewall. Windows XP and Windows 2003 ship with Microsoft's minimalist Internet Connection Firewall, which blocks inbound RPC traffic by default if the firewall is enabled.
An IPSec filter can also be used to block all the same ports mentioned above. MicrosoftKnowledge Base articles 313190 and 813878 explain how to apply filters in IPSec.
Another workaround is to disable DCOM, but this will not be practical on many systems, if only because disabling DCOM on remote systems will prevent you from remotely re-enabling it later.
These workarounds won't work on all versions and levels of the affected operating systems.
Final word
Although this newest vulnerability is not found in the almost completely unused Windows Me, it's important to note that this does affect the supposedly more secure Windows Server 2003—the flagship of Microsoft's newly discovered corporate emphasis on producing more secure software. On the other hand, lately I have seen fewer reports of new bugs caused by patches, so perhaps Trustworthy Computing is having some beneficial results (although it's important to remember that part of Trustworthy Computing is the promise to respond more quickly to newly discovered vulnerabilities, and that can also result in more security bulletins).
With MS03-039, nine patches are provided for various versions of the affected software. Some of the software isn't vulnerable to the DoS attack, and for others it poses only a Moderate threat, but the patch for each software version includes the fix for the arbitrary code execution vulnerability that is rated Critical on all affected systems.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2003 TechRepublic, Inc.
6%
3%
