Microsoft’s disclosure of three new security holes in Windows came just moments before its senior security strategist, Phil Reitinger, told lawmakers on the House Government Reform technology subcommittee about the company’s efforts to help consumers defend themselves against viruses and other Internet attacks.
Only a month after the Blaster worm tore through the Internet looking for machines vulnerable to a previous Remote Procedure Call (RPC) exploit, Microsoft has revealed a similar vulnerability. The three newly identified flaws are in the RPC protocol in Windows, and two of them resemble the vulnerability attacked by Blaster.
Affected versions of Windows include NT, 2000, XP and Server 2003. The vulnerabilities include two buffer overruns and a denial-of-service flaw. Specifically, the problems lie in the portion of the service that handles RPC messages for the activation of the Distributed Component Object Model (DCOM).
RPC is a protocol used by Windows to allow a program running on one computer to seamlessly access services on another computer. It is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft-specific extensions.
RPC helps with interoperability because programs using RPC do not have to understand the network protocols that are supporting communication. The vulnerabilities result from the Windows RPC service not properly checking message input under certain circumstances.
After establishing a connection, an attacker could send a specially crafted, malformed RPC message, causing the underlying DCOM activation infrastructure in the RPC service on the remote system to fail in such a way that arbitrary code could be executed.
By successfully exploiting these vulnerabilities, an attacker could run code with local system privileges on an affected system or could cause the RPC service to fail. The attacker then could take any action on the system, including installing programs; viewing, changing or deleting data; or creating new accounts with full privileges.
Patching the Hole
Microsoft has released a tool that can be used to scan a network for the presence of systems that have not had the patch installed. More details on this tool are available in a Microsoft knowledge base article.
Although Microsoft urges all customers to apply the security patch, some workarounds can be used to help guard against this vulnerability prior to patching individual systems. However, Microsoft makes no guarantee that the workarounds will block all possible attacks.
To employ the workarounds, you must block UDP ports 135, 137, 138 and 445 and TCP ports 135, 139, 445 and 593 at your firewall. You also must disable COM Internet Services (CIS) and RPC over HTTP. CIS and RPC over HTTP listen on ports 80 and 443 on affected computers.
You can block the affected ports by using an Internet Protocol Security (IPSec) filter while disabling CIS and RPC over HTTP.
Fertile Ground for Worm
In all three cases, the vulnerability results from the failure of the RPC service to handle malformed messages correctly. This set of weaknesses is similar to the one Blaster has been exploiting since August 11th. The worm infected hundreds of thousands of PCs, and numerous variants were released within a few days.
This new set of vulnerabilities might prove to be fertile ground for worm writers as well, most analysts are saying. To prevent a similar occurrence with the new RPC vulnerabilities, Microsoft is encouraging customers to use firewall software to block access to unnecessary communications ports.
Home users should enable the automatic update and automatic install features on Windows XP and other vulnerable versions of the operating system. These update features will automatically download and install the new patch.