MS warns of widespread Windows vulnerability

Microsoft warned customers about three new security flaws in its products Wednesday, including a buffer overrun in the implementation of a common protocol that could give remote attackers total control over a Windows system.

The critical vulnerability, detailed in security bulletin MS03-026, affects a Windows component called the Distributed Component Object Model (DCOM) interface, which listens for traffic on TCP/IP port 135, Microsoft said. 

A flaw in the way that DCOM handles messages sent using the Remote Procedure Call (RPC) protocol causes the RPC service to fail when an incorrectly formatted message is received.

RPC is a common protocol that software programs use to request services from other programs running on servers in a networked environment.

Attackers could send malformed messages specifically designed to crash the RPC service, resulting in the attacker's malicious code being run on the vulnerable machine, Microsoft said.

The flaw affects many supported versions of the Windows operating system, ranging from Windows NT 4.0 to Windows XP and Windows Server 2003, Microsoft said.

Any Windows machine on which traffic to port 135 has not been blocked is susceptible to attack, the company warned.

Personal and corporate firewalls typically block traffic on Port 135, protecting those machines from exploitation. However, machines located behind a firewall on corporate LANs and intranets would be vulnerable to internal attack, the company said.

Blocking port 135 on machines connected to a corporate LAN or intranet would prevent those machines from acting as file servers, according to Jeff Jones, senior director of Trustworthy Computing security at Microsoft.

This is the second time this year that Microsoft has issued a critical security bulletin linked to RPC. In March, the company warned of a flaw in Windows' implementation of RPC that could enable attackers to launch denial of service attacks against machines running Windows.

So widespread was that problem that Microsoft told customers that it would not be able to release a patch for systems running NT 4.0.

For the latest RPC flaw, an NT 4.0 patch is available, Jones said.

The latest RPC flaw was reported to the company in late June by an independent security consulting company called The Last Stage of Delirium Research Group.

The problem failed to get noticed internally because a tool that would have found the problem had not been integrated into automated code review tools that Microsoft uses to locate vulnerabilities, Jones said.

In addition, an internal review of the RPC code following that announcement didn't unearth the latest flaw because the two vulnerabilities were located in different modules of code, both relating to RPC, he said.

Microsoft will now be taking a closer look at the Windows component that yielded the latest critical flaw as well as all similar components, Jones said.

Asked whether the vulnerability was easy to take advantage of, Jones noted that it had existed in operating systems as far back as NT 4.0 and had not yet been detected by Microsoft or by the hacking community.