[Dshield] New Microsoft Windows RPC vulnerability
wbeckham at yahoo.com
Wed Sep 10 17:33:42 GMT 2003
I got this from TruSecure.
Microsoft has released a security bulletin, MS 03-039 that addresses a
vulnerability in the RPC/DCOM, similar to that responsible for the MS
Blaster/Lovsan event. In this case it may be possible to use Internet
services as an attack vector including port 80 traffic. RPC over HTTP is a
protocol for using port 80 (destination) and ephemeral
(source) for performing RPC calls across the Internet. If enabled, clients
initiate a call to a port 80-based RPC server and receive the RPC
instructions over whatever source port they used.
This vulnerability could allow a remote user to execute arbitrary code under
the Local System privilege.
The Microsoft tool that can be used to scan a network for the presence of
either the MS 03-026 patch, may report inconsistent findings if the MS
03-039 patch has been installed. However, the MS 03-039 patch supercedes
the MS 03-026 patch, and should be used in lieu of the MS 03-026 patch.
While there are not yet exploits in the wild, proactively applying this
patch may prevent another Loosen type of worm outbreak.
- - TruSecure's default-deny essential practice, of blocking all unnecessary
ports both inbound and outbound will help to mitigate an exploit of this
- - Applying the patch referenced in MS 03-039
- - Other mitigations and recommendations will be provided as TruSecure
learns more about the changing risk that this bulletin may impact.
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Keith Bergen
Sent: Wednesday, September 10, 2003 10:13 AM
To: General DShield Discussion List
Subject: Re: [Dshield] New Microsoft Windows RPC vulnerability
What exactly is the update. All Microsoft says is that it is
a security update to a fault that would allow somebody to run
code. I don't see anything there that explains what exactly
they are patching.
---- Original message ----
>Date: Wed, 10 Sep 2003 12:56:10 -0400
>From: "Johannes B. Ullrich" <jullrich at sans.org>
>Subject: [Dshield] New Microsoft Windows RPC vulnerability
>To: list at dshield.org
>MSFT just released a new bulletin:
>(To celebrate this, I will allow a few anti MSFT, pro Linux
>SANS - Internet Storm Center
>PGP Key: http://isc.sans.org/jullrich.txt
>signature.asc 1k bytes
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list