[SICS]

MCP NewsFlash Special Edition
July 24, 2003

Dear Microsoft Certified Professional,

On Wednesday, July 16, 2003, Microsoft released a security bulletin and patch covering a vulnerability in Windows RPC. http://www.microsoft.com/technet/sec.../MS03-026.asp.

This issue may generate questions among your peers and customers. Because Microsoft is committed to keeping customers' information safe, this e-mail provides additional information to help you address those questions. Microsoft updated this bulletin July 17 to provide customers with improved mitigation guidance. The patch issued July 16 is completely effective.

BACKGROUND
. Recently, a security research organization reported a critical vulnerability in the RPC component of the Windows operating system which could allow an attacker to execute code with Local System privileges.
. There are currently no known active exploits of this vulnerability.

WHAT WE'VE DONE
. Microsoft has analyzed the reported vulnerability and determined it represents a critical vulnerability.
. Microsoft issued security bulletin MS03-026 and released a patch which is now available via Microsoft's Download Center and Windows Update.

WHAT CUSTOMERS SHOULD DO
1. Microsoft strongly encourages all customers to download and apply the patch for the following affected operating systems:
. Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003.
2. In addition to applying the patch, in line with good security practices, customers should protect their networks through the use of a firewall.
. Best practices recommend blocking all TCP/IP ports that are not actually being used. For this reason, most machines attached to the Internet should have RPC over TCP or UDP blocked. RPC over UDP or TCP is not intended to be used in hostile environments such as the Internet.
. Consumers should use a personal firewall technology such as Internet Connection Firewall in Windows XP.

QUESTIONS AND ANSWERS
Q: How serious is this vulnerability?
A: Microsoft has rated this vulnerability "critical" which means that arbitrary code could potentially be executed without user intervention. However, at this time, it is only a vulnerability, no known public exploits exist, nor do we know of any customers who have been impacted.

TECHNICAL BACKGROUND
Technical description:
Microsoft originally released this bulletin and patch on July 16, 2003 to correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. The patch was and still is effective in eliminating the security vulnerability. However, the "mitigating factors" and "workarounds" discussions in the original security bulletin did not clearly identify all of the ports by which the vulnerability could potentially be exploited. We have updated this bulletin to more clearly enumerate the ports over which RPC services can be invoked, and to ensure that customers who have chosen to implement a workaround before installing the patch have the information that they need to protect their systems. Customers who have already installed the patch are protected from attempts to exploit this vulnerability, and need take no further action.

Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.

To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on specific RPC ports.

Mitigating factors:
. To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135, 139, or 445 or any other specifically configured RPC port on the remote machine. For intranet environments, these ports would normally be accessible, but for Internet connected machines, these would normally be blocked by a firewall. In the case where these ports are not blocked, or in an intranet configuration, the attacker would not require any additional privileges.
. Best practices recommend blocking all TCP/IP ports that are not actually being used. For this reason, most machines attached to the Internet should have RPC over TCP or UDP blocked. RPC over UDP or TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments.

To learn more about securing RPC for client and server please refer to http://msdn.microsoft.com/library/de...or_server.asp.

To learn more about the ports used by RPC, please refer to http://www.microsoft.com/technet/pro...t4/tcpappc.asp

Severity Rating:
Windows NT 4.0 Critical
Windows NT 4.0 Terminal Server Edition Critical
Windows 2000 Critical
Windows XP Critical
Windows Server 2003 Critical

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0352

Tested Versions:
Microsoft tested Windows Me, Windows NT 4.0, Windows NT 4.0 Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003, to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by this vulnerability.

Microsoft Communities is your launching pad for communicating online with peers and experts about Microsoft products, technologies, and services:
http://communities.microsoft.com/home/default.asp

~~~~~~~~~~~~~~~~~~~~~~~~~ How to use this mailing list~~~~~~~~~~~~~~~~~~~~~~~~

To cancel your subscription to this newsletter, either click mailto:1_50455_2FC80D45-F1E5-456A-B32B-624163BD832C_US@Newsletters.Microsoft.com?subject= UNSUBSCRIBE to send an unsubscribe e-mail or reply to this message with the word UNSUBSCRIBE in the Subject line. To stop all e-mail newsletters from microsoft.com, either click mailto:2_50455_2FC80D45-F1E5-456A-B32B-624163BD832C_US@Newsletters.Microsoft.com?subject= STOPMAIL to send your request or reply to this message with the word STOPMAIL in the Subject Line. You can also unsubscribe at http://www.microsoft.com/misc/unsubscribe.htm. You can manage all your Microsoft.com communication preferences from this site.

THIS DOCUMENT AND OTHER DOCUMENTS PROVIDED PURSUANT TO THIS PROGRAM ARE FOR INFORMATIONAL PURPOSES ONLY. The information type should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. The user assumes the entire risk as to the accuracy and the use of this document.
microsoft.com newsletter e-mail may be copied and distributed subject to the following conditions:
1. All text must be copied without modification and all pages must be included
2. All copies must contain Microsoft's copyright notice and any other notices provided therein
3. This document may not be distributed for profit