Andrew
10-14-03, 06:28 PM
Long-anticipated exploit code targeting the most recent Microsoft RPC vulnerabilities is circulating and may compromise even patched XP systems. Other versions of Windows might be vulnerable but haven’t been tested.
“This code is a universal exploit, which means that it can be used against any version of Windows that is not patched,” says Aaron Schaub, a security analyst at intelligence firm TruSecure. “However, there have been unconfirmed reports that it will still work against Windows XP SP1 even with all additional security updates installed.”
The code exploits a slight variant in the RPCSS (the Remote Procedure Call portmapper, which directs traffic for different services using RPC) vulnerability documented in Microsoft Security Bulletin MS03-039.
Experts report seeing increased activity on TCP port 135, which is associated with the vulnerable service.
If the exploit works against fully patched Windows XP systems, the best defense against the attack is to turn off the service, if possible. Windows XP uses this service extensively and turning it off isn’t a viable option in many situations. If the service can’t be turned off, the use of firewalls or access control lists to restrict access to vulnerable systems can reduce the chances of attack, says Schaub.
A patch was released to correct the "Buffer Overrun In RPCSS Service Could Allow Code Execution" (MS03-039) vulnerabilities; which deal with RPC messages for DCOM activation. According to Microsoft, two of the flaws could allow arbitrary code execution; and the third could result in a denial of service. The flaws affect Windows NT 4/2000/XP/Server 2003 and result from incorrect handling of malformed messages.
Many security experts have speculated that the release of a worm using this code could come at any time. In August, the prolific Blaster worm ripped through networks worldwide by exploiting a similar RPC/DCOM vulnerability for which a patch had been released more than three weeks before. http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
“This code is a universal exploit, which means that it can be used against any version of Windows that is not patched,” says Aaron Schaub, a security analyst at intelligence firm TruSecure. “However, there have been unconfirmed reports that it will still work against Windows XP SP1 even with all additional security updates installed.”
The code exploits a slight variant in the RPCSS (the Remote Procedure Call portmapper, which directs traffic for different services using RPC) vulnerability documented in Microsoft Security Bulletin MS03-039.
Experts report seeing increased activity on TCP port 135, which is associated with the vulnerable service.
If the exploit works against fully patched Windows XP systems, the best defense against the attack is to turn off the service, if possible. Windows XP uses this service extensively and turning it off isn’t a viable option in many situations. If the service can’t be turned off, the use of firewalls or access control lists to restrict access to vulnerable systems can reduce the chances of attack, says Schaub.
A patch was released to correct the "Buffer Overrun In RPCSS Service Could Allow Code Execution" (MS03-039) vulnerabilities; which deal with RPC messages for DCOM activation. According to Microsoft, two of the flaws could allow arbitrary code execution; and the third could result in a denial of service. The flaws affect Windows NT 4/2000/XP/Server 2003 and result from incorrect handling of malformed messages.
Many security experts have speculated that the release of a worm using this code could come at any time. In August, the prolific Blaster worm ripped through networks worldwide by exploiting a similar RPC/DCOM vulnerability for which a patch had been released more than three weeks before. http://www.microsoft.com/technet/security/bulletin/MS03-039.asp