Windows RPC/DCOM vulnerability
August 19, 2003
Below are some commonly asked questions with answers about the Windows RPC vulnerability. If you have comments or other questions, please contact firstname.lastname@example.org or call the SCS Help Desk at x8-4231 (M-F, 9-5).
What is the problem?
A critical, remotely exploitable security vulnerability has been found in a part of the Microsoft Windows operating system software. This vulnerability affects all versions of Windows commonly run in SCS, including NT, 2000, and XP. An exploit has already been published. It is important that people apply the appropriate patch to their PCs or their machines will get hacked.
Details about this vulnerability:
- Microsoft bulletin about the vulnerability (off-site link, will open in a new window)
There are currently several worms out that actively exploit the vulnerability, and many CMU hosts have been infected by it.
What should I do to protect myself?
Everyone in the SCS community must run Windows Update and install the critical security update numbered 823980. You may need to install other patches and service packs to install this particular patch. It is strongly recommended that you install all critical updates and service packs to protect against other Windows security issues.
How to run Windows Update and patch yourself
- Run Internet Explorer (version 5 or higher).
- Select "Windows Update" under the "Tools" menu.
- Once you have connected to the Windows Update site, select "Scan for updates" (if you are running Windows 2000 or XP).
- It is recommended that you use Windows Update to install all "Critical Updates". At the minimum, you will need to install the security update numbered 823980 to protect against this vulnerability.
- You will need to reboot your machine after installation.
- Important: Because some updates depend on previous updates already being installed, you should re-run Windows Update after rebooting to verify that you have successfully installed the patches, and to install any remaining critical updates.
What should I do if I'm already infected by a worm?
If you are already infected, you will need to remove the worm and patch your system so you don't get infected again. To remove the worm, you will need to identify which worm is responsible and run a removal tool. See: Symantec datasheet on W32.Blaster.Worm for removal instructions for the W32.blaster worm, and Symantec datasheet on W32.Welchia worm for removal instructions for the W32.welchia worm. These are the two most common worms that we have been hit by, and both URLs have pointers to a removal tool.
What could somebody do on my PC if an intruder or worm took advantage of this vulnerability?
Anything they wanted to do, including destroy your files, read your data (such as e-mail and other sensitive information), and snoop your keystrokes. The exploit allows the execution of arbitrary code with Local System privileges.
What happens if I don't patch?
If you don't patch, your PC will almost certainly get hacked. You may lose data, and your PC will be removed from the network until it is secured. If your PC is supported by Facilities, we will fix it. However, if many other people do not patch, your PC might be number 211 in a waiting list of 400 hosts that need to be fixed. Those numbers, while they may seem large, probably underestimate the actual magnitude of the problem.
What are the risks of patching?
A small percentage of hosts have had problems, such as blue screens or failures to boot, after installing patches and service packs. Facilities will fix any such problems on supported hosts. In our opinion, the risks of not patching are much greater than the risks of applying patches. To apply this patch, you may need to install prerequisite service packs. Installing the patch will require one or more reboots of your PC.
How can I tell if my PC is already patched?
You can run Windows Update and check your installation history to see if the security update numbered 823980 has been installed. Note that this update may not be separately listed on Windows NT hosts (it's part of a larger patch). The recommended way to check is to run Windows Update and make sure that there are no critical updates or service packs missing from your PC. Note that the patch will not be explicitly listed by Windows Update as something to install if you are missing prerequisite service packs.
Note: There have been cases reported where Windows Update wrongly reports that a machine has been patched.
What is SCS Facilities doing about this problem?
- Weare the patch to hosts in the SCS domain. This may also require the installation of prerequisite service packs. Patch installation will require one or more forced reboots.
- We have blocked incoming network traffic to ports 135, 139, 445, and 593 from hosts outside the SCS network. Exceptions have been made for some of the SCS Windows domain controllers and file servers (such as monolith). These hosts have been patched and are still reachable from outside hosts. This filtering is temporary, and will (hopefully) buy us some time to patch SCS hosts. It does not eliminate the need for patching.
Do I still need to patch my PC since Facilities is pushing out a patch?
Yes. There are many hosts in SCS that we will not be able to remotely patch because they are not in the SCS domain, aren't consistantly on the network, or for various other reasons. Every day that you go without patching your PC increases the chance that you will be hacked.
Will you try to install the patch again on my PC (and reboot it) if I've already patched it?
We will check to see if the patch is already installed before doing anything.
Do I still need to patch my PC since you're doing network filtering of the dangerous ports?
Yes. There are many ways for our filtering to be bypassed. For example, someone could place this exploit in an e-mailed attachment, or break into an SCS host by other means and then use that host to launch attacks on other hosts on our network.
Are there alternatives to patching?
You can disable distributed DCOM on a computer as per the instructions in the Frequently Asked Questions section in Microsoft Security Bulletin MS03-026. This may have other effects on functionality, and once disabled it cannot be remotely re-enabled. It is not a good alternative to patching your PC because of its impact on functionality, and because there are many other serious security problems that are fixed by other patches. Disabling DCOM does not protect against the vulnerability if you are running Windows 2000 with less than Service Pack 3 (note: if you do disable DCOM, you will need to reboot your machine after doing so).
How can I access hosts on the SCS network that are filtered?
You can use VPN software to connect to the SCS network. See our VPN documentation for instructions.
What else can I do to keep my PC secure?
See our Windows security documentation for other steps you can take to prevent your PC from being hacked or infected with a worm/virus.