Critical Windows Flaw a Potential Springboard for Damaging Worm

Microsoft is feverishly trying to get users to apply a patch it released two weeks ago for a critical RPC vulnerability that affects most supported versions of Windows before a widespread worm based on the vulnerability can break out.

Several hacker sites last week published exploit code, an important precursor to the outbreak of a major worm similar to SQL Slammer or Nimda.

Microsoft took the unusual step of plastering notices about the vulnerability on non-security pages all over its Web site. The notices appear on the main Microsoft homepage and on several Windows-related Microsoft pages.

"Action for Windows users: Read Security Bulletin MS03-026, and install the security patch immediately," an alert headline in the upper right corner of Microsoft's homepage reads.

There have also been reports that Microsoft is issuing e-mail alerts outside of its normal security bulletin notification service to urge users to apply the patch, which was first posted on July 16.

The flaw is a huge problem because it can allow an attacker to remotely take control of a system. Affected platforms include Windows Server 2003, Windows 2000, Windows NT 4.0 and Windows XP. Windows 98 and Windows 98 SE are no longer supported and were not tested. Windows Me was found not to be vulnerable. Chinese and U.S.-based coders have already released exploit code that takes advantage of the vulnerability, and that code has been downloaded extensively.

The problem involves a buffer overrun vulnerability in the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. RPC is a protocol in Windows to allow a program on one computer to execute code on a remote system.

An attack would be similar to the highly damaging SQL Slammer and Nimda attacks, in that any worm written to exploit the problem would be released weeks or months after the patch was first issued.

A Gartner bulletin on Monday noted that there has also been widespread scanning of ports 135 and 445, which allow connections to Windows-based RPC services such as Active Directory. Gartner interprets the increase in scanning as another sign that a full-scale assault is imminent. "Enterprises should immediately ensure that Internet firewalls block the vulnerable services, use access control lists in routers to segment their networks and block the affected ports, and patch all Windows servers and desktops," Gartner analysts John Pescatore and Richard Stiennon wrote.

The Microsoft patch is available here:

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Vendors Issue Patches for Linux Container Runtime Flaw Enabling Host Attacks

    This week, the National Institute of Standards and Technology (NIST) described a high-risk security vulnerability (CVE-2019-5736) for organizations using containers that could lead to compromised host systems.

  • Windows 10 Version 1809 Users May Get Visual Studio Crashes

    Microsoft on Friday issued an advisory for Windows 10 version 1809 users about possible Visual Studio crashes.

  • Standardizing the Look of Outlook's Outbound Messages

    Microsoft typically gives users a blank canvas to compose new e-mails in Outlook. In some corporate environments, however, a blank canvas isn't a good thing.

  • Windows 10 'Semiannual Channel Targeted' Goes Away This Spring

    Microsoft plans to slightly alter its Windows servicing lingo and management behavior with its next Windows 10 operating system feature update release, coming this spring.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.