New Windows RPC/DCOM vulnerabilities
September 11, 2003
New (as of September 10, 2003) critical security vulnerabilities have been found in the Windows RPC service. A remote attacker could use these vulnerabilities to take over your PC, or a worm could use them to infect your PC. Because these vulnerabilities are very similar to the previous RPC vulnerability, it is expected that exploits and worms targeting them will appear very soon.
Please patch your Windows NT, 2000, or XP PCs immediately!
All networked Windows PCs running NT, 2000, or XP, including wireless hosts, servers, and home machines, should be patched.
How to patch your PC
You can download patches from:
http://netreg.net.cmu.edu/patches (off-site link, will open in a new window)
or you can run Windows Update. To Run Windows Update:
- Run Internet Explorer
- Select "Windows Update" under the "Tools" menu in Internet Explorer.
- Scan for updates (if you are running 2000 or XP).
- To protect yourself against these vulnerabilities, you must install the security update numbered KB824146. It is recommended that you install all critical updates and Service Packs listed.
- Reboot your machine after installation.
- Because some updates depend on other updates already being installed, you should repeat steps 3-5 above until there are no critical updates or Service Packs left to install.
We will be pushing a patch for these vulnerabilities to unpatched hosts in the SCS Windows domain starting Friday morning. PCs that are patched in this manner will be forced to reboot as part of the patching process.
Again, please apply this patch immediately. Do not wait for us to patch your system, since there are many systems that we cannot remotely patch for various reasons.
We are still fixing hosts that were infected because of the previous RPC vulnerability. If your PC is infected or hacked, it will be filtered off the SCS network, and you will need to get in line behind the other people waiting to have their PCs fixed.
Any questions or comments should be sent to firstname.lastname@example.org, or should be directed to the Help Desk at 268-4231.
Details about the vulnerabilities
Microsoft announced on September 10, 2003 that there are additional vulnerabilities inn the Windows RPC service which could allow an attacker to take control of the system and run any arbitrary code of their choosing. Two of these vulnerabilities are remotely exploitable buffer overflows that may allow an attacker to execute arbitrary code with system privileges. The third vulnerability may allow a remote attacker to cause a denial of service. The Microsoft bulletin is at:
http://www.microsoft.com/security/security_bulletins/ms03-039.asp (off-site link, will open in a new window)
It is believed that existing code, including the exploit implemented by W32.Blaster.Worm, which targets the vulnerability in RPC DCOM subsystem described in MS03-026 can easily be modified to successfully exploit one of the vulnerabilities listed in MS03-039. For this reason, Symantec Security Response believes that active exploitation and creation of Internet worms targeting this vulnerability is imminent. The vulnerability in question is purported to be a heap based overflow that can be exploited via an overly long NETBIOS name submitted via a specially formatted RPC packet.