Security Update for Windows

Discussion in 'other security issues & news' started by DolfTraanberg, Sep 10, 2003.

Thread Status:
Not open for further replies.
  1. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Title: Buffer Overrun In RPCSS Service Could Allow Code
    Execution (824146)
    Date: September 10, 2003
    Software: Microsoft Windows NT Workstation 4.0
    Microsoft Windows NT Server(r) 4.0
    Microsoft Windows NT Server 4.0, Terminal Server
    Edition
    Microsoft Windows 2000
    Microsoft Windows XP
    Microsoft Windows Server 2003
    Impact: Run code of attacker's choice
    Max Risk: Critical
    Bulletin: MS03-039

    Microsoft encourages customers to review the Security Bulletins
    at:

    http://www.microsoft.com/technet/security/bulletin/MS03-039.asp http://www.microsoft.com/security/security_bulletins/MS03-039.asp

    - - -----------------------------------------------------------------

    Issue:


    The fix provided by this patch supersedes the one included in
    Microsoft Security Bulletin MS03-026.

    Remote Procedure Call (RPC) is a protocol used by the Windows
    operating system. RPC provides an inter-process communication
    mechanism that allows a program running on one computer to
    seamlessly access services on another computer. The protocol
    itself is derived from the Open Software Foundation (OSF) RPC
    protocol, but with the addition of some Microsoft specific
    extensions.

    There are three identified vulnerabilities in the part of RPCSS
    Service that deals with RPC messages for DCOM activation- two
    that could allow arbitrary code execution and one that could
    result in a denial of service. The flaws result from incorrect
    handling of malformed messages. These particular vulnerabilities
    affect the Distributed Component Object Model (DCOM) interface
    within the RPCSS Service. This interface handles DCOM object
    activation requests that are sent from one machine to another.

    An attacker who successfully exploited these vulnerabilities
    could be able to run code with Local System privileges on an
    affected system, or could cause the RPCSS Service to fail. The
    attacker could then be able to take any action on the system,
    including installing programs, viewing, changing or deleting
    data, or creating new accounts with full privileges.

    To exploit these vulnerabilities, an attacker could create a
    program to send a malformed RPC message to a vulnerable system
    targeting the RPCSS Service.

    Microsoft has released a tool that can be used to scan a network
    for the presence of systems which have not had the MS03-039 patch
    installed. More details on this tool are available in Microsoft
    Knowledge Base article 827363. This tool supersedes the one
    provided in Microsoft Knowledge Base article 826369. If the tool
    provided in Microsoft Knowledge Base Article 826369 is used
    against a system which has installed the security patch provided
    with this bulletin, the superseded tool will incorrectly report
    that the system is missing the patch provided in MS03-026.
    Microsoft encourages customers to run the latest version of the
    tool available in Microsoft Knowledge Base article 827363 to
    determine if their systems are patched.


    Mitigating Factors:

    - Firewall best practices and standard default firewall
    configurations can help protect networks from remote attacks
    originating outside of the enterprise perimeter. Best practices
    recommend blocking all ports that are not actually being used.
    For this reason, most systems attached to the Internet should
    have a minimal number of the affected ports exposed.

    Risk Rating:

    - Critical

    Patch Availability:
    - A patch is available to fix this vulnerability. Please read
    the Security Bulletins at

    http://www.microsoft.com/technet/security/bulletin/MS03-039.asp http://www.microsoft.com/security/security_bulletins/MS03-039.asp
    for information on obtaining this patch.

    Acknowledgment:

    - eEye Digital Security (http://www.eeye.com/html)
    - NSFOCUS Security Team (http://www.nsfocus.com)
    - Xue Yong Zhi and Renaud Deraison from Tenable Network Security
    (http://www.tenablesecurity.com)

    for reporting the buffer overrun vulnerabilities and working with
    us to protect customers.
     
  2. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :( Here we go again...from the Internet Storm Center:

    Microsoft RPCSS Vulnerability
    http://isc.sans.org/diary.html?date=2003-09-10
    September 10th 2003 15:48 EDT
    "In response to todays announcement of a new Microsoft Windows RPC vulnerability, we raised the 'Infocon' to 'yellow' in order to alert users of the urgency to patch, and to point out that this is a new issue not covered by any of the prior RPC patches.
    - Microsoft released a new RPC related advisory (MS003-039). This advisory discloses a buffer overrun condition in the RPCSS service. This issue is not fixed by any patch applied to remedy the RPC DCOM vulnerability..."

    - Can download patch (approx. 916k for W2K) from here:
    http://support.microsoft.com/?kbid=824146
     
  3. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Seems that Steve Gibson was right again :D
    http://www.wilderssecurity.com/showthread.php?t=13292
     
  4. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :( FYI...from the Internet Storm Center:

    Windows RPCSS Vulnerability Update
    http://isc.sans.org/diary.html?date=2003-09-11
    "Several groups are working on an exploit for this vulnerability. Expect a working exploit to be published and used within the next few days...
    - This vulnerability is NOT PATCHED by the RPC DCOM patch (MS03-026)
    The RPCSS patch (MS03-039) has been made available on Sept. 10th (Wednesday). No patch prior to this date fixed this issue. While this is an RPC issue, it is a new and different issue as the one released in July.
    - You must patch as soon as possible
    We expect an exploit in widespread use shortly. At this point, you should be able to patch while assuming that the machine has not yet been compromised. However, within a few days this may no longer be the case and you will have to validate the system's integrity...
    - The patch for MS03-039 (RPCSS) does include the July patch for MS03-026 (RPC DCOM).
    - Workarounds
    >There are two workarounds. You can avoid exploitation by this vulnerability by applying firewall rules. In particular if you are using a host based ("Personal") firewall. For network firewalls, make sure no hosts are moved into the same zone with unpatched machines. We recommend setting up a "laptop quarantine" to avoid the introduction of malware from the outside of the network.
    >In order to protect unpatched systems, you should close the following ports:
    UDP 135, 137, 138, 445
    TCP 135, 139, 445, 593
    Other ports may be used as well depending on additional components you may have installed. In particular if you are using COM Internet Services (CIS) and RPC over HTTP, you need to close port 80 and 443 inbound.
    - To disable RPC, see this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;825750
    - Update Vulnerability Scanners
    Scanners for the old RPC vulnerability will not recognize this new vulnerability, and may detect false positives for patched systems. Update to the most recent versions of your scanner..."


    (For complete detail, use the above link in this post).
     
  5. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    FYI...Buffer Overrun in RPCSS May Allow Code Execution
    -(reiteration for clarification)-
    http://support.microsoft.com/?kbid=824146
    (O/S systems affected:)
    "The information in this article applies to:
    Microsoft Windows Server 2003, 64-Bit Enterprise Edition
    Microsoft Windows Server 2003, 64-Bit Datacenter Edition
    Microsoft Windows Server 2003, Enterprise Edition
    Microsoft Windows Server 2003, Standard Edition
    Microsoft Windows Server 2003, Web Edition
    Microsoft Windows XP Professional
    Microsoft Windows XP Home Edition
    Microsoft Windows XP Media Center Edition
    Microsoft Windows XP Tablet PC Edition

    Microsoft Windows 2000 Advanced Server
    Microsoft Windows 2000 Professional
    Microsoft Windows 2000 Server
    Microsoft Windows 2000 Datacenter Server
    Microsoft Windows NT Server 4.0
    Microsoft Windows NT Server 4.0 Terminal Server Edition
    Microsoft Windows NT Workstation 4.0...

    - NOTE: The features that are associated with these vulnerabilities are also not included with Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows 98 Second Edition, even if DCOM is installed..."


    (For complete information including -Patch Information- and -Updated Scanning Tool- information, use the above link in this post).
     
  6. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
  7. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :( FYI...per: https://www.wilderssecurity.com/securitynews.html

    Hackers Pass Out New Software for Attacks
    http://www.620ktar.com/news/article.aspx?article_id=217828&cc=012345

    "Security researchers on Tuesday detected hackers distributing software to break into computers using flaws announced last week in some versions of Microsoft Corp.'s Windows operating system...
    - The discovery gives fresh impetus for tens of millions of Windows users, inside corporations and in their homes, to immediately apply a free repairing patch from Microsoft. Homeland Security officials have warned that attacks could result in a "significant impact" on the operation of the Internet.
    - Researchers from iDefense Inc. of Reston, Va., who found the new attack software being distributed from a Chinese Web site, said it was already being used to break into vulnerable computers and implant eavesdropping programs. They said they expect widespread attacks similar to the Blaster infection within days...The latest hacker tool was relatively polished. It gives hackers access to victims' computers by creating a new account with the name "e" with a preset password. iDefense said the tool includes options to attack two Windows 2000 versions that are commonly used inside corporations..."
     
  8. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
  9. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :( FYI...

    http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci931798,00.html
    - The UK's National Infrastructure Security Co-ordination Centre (NISCC) has warned that exploit code has been published on the Internet to take advantage of a buffer overrun flaw in the RPCSS Service affecting "a range of versions, levels and language versions of Microsoft Windows 2000 and XP."...
    14 October 2003
    http://www.uniras.gov.uk/l1/l2/l3/alerts2003/alert-2903.txt

    - NOTE: This appears to be inline with the RPCSS Service vuln and is a separate issue from the CERT advisory issued today - see CERT advisory topic here.
     
Loading...
Thread Status:
Not open for further replies.