• PC World
• » Windows

Microsoft has warned customers about three new security flaws in its products, including a buffer overrun in the implementation of a common protocol that could give remote attackers total control over almost any Windows system.

The critical vulnerability, detailed in Security Bulletin MS03-026, affects a Windows component called the Distributed Component Object Model (DCOM) interface. DCOM listens for traffic on TCP/IP port 135, Microsoft says.

Remote Call Flaw

A flaw in the way DCOM handles messages sent using the Remote Procedure Call (RPC) protocol causes the RPC service to fail when an incorrectly formatted message is received, Microsoft says. RPC is a common protocol that programs use to request services from other programs running on servers in a networked environment.

An attacker could send malformed messages specifically designed to crash the RPC service, resulting in the attacker's malicious code being run on the vulnerable machine, Microsoft says.

The flaw affects most versions of Windows, ranging from Windows NT 4.0 to Windows XP and Windows Server 2003, Microsoft says. Any Windows system that does not block traffic to port 135 is susceptible to attack, the company warns.

Personal and corporate firewalls typically block traffic on port 135, protecting those machines from exploitation. However, machines located behind a firewall on corporate LANs and intranets would be vulnerable to internal attack, the company said.

Blocking port 135 on systems connected to a corporate LAN or intranet will prevent those machines from acting as file servers, according to Jeff Jones, senior director of Trustworthy Computing security at Microsoft.

This is the second time this year that Microsoft has issued a critical security bulletin linked to RPC. In March, the company warned of a flaw in Windows' implementation of RPC that could allow denial-of-service attacks. Such attacks involve seeding dozens or more PCs with a program the attacker can activate to simultaneously strike a targeted server.

So widespread was that problem that Microsoft told customers that it would not release a patch for systems running NT 4.0.

Overlooked for Weeks

For the latest RPC flaw, an NT 4.0 patch is available, Jones says.

The latest RPC flaw was reported to the company in late June by an independent security consulting company called The Last Stage of Delirium Research Group.

The problem failed to get noticed internally because a tool that would have found the problem had not been integrated into automated code review tools that Microsoft uses to locate vulnerabilities, Jones says.

Also, an internal review of the RPC code after the earlier announcement didn't unearth the latest flaw because the two vulnerabilities are in different modules of code, both relating to RPC, he says.

Microsoft will now take a closer look at the Windows component that yielded the latest critical flaw, as well as all similar components, Jones adds.

Asked about the degree of the vulnerability, Jones notes it has existed in operating systems as far back as NT 4.0 and was not detected by Microsoft or by the hacking community.

"There were easier ones to find that people did find sooner," he says.

Other Patches

In addition to the RPC vulnerability, Microsoft warned Wednesday of two other security flaws, both rated "Important" by the company.

Bulletin MS03-027 describes how an unchecked buffer in a function used by the Windows XP desktop could let an attacker run a specially crafted configuration file, crash a Windows system, and then possibly execute code on the system.

Only PCs running Windows XP Service Pack 1 are affected by this vulnerability. Attackers would be limited to the current Windows user's level of system access.

In Bulletin MS03-028, Microsoft warns of a vulnerability in its Internet Security and Acceleration (ISA) Server 2000. Through it, an attacker could send malicious code to another user.

The flaw affects HTML error pages used by ISA Server to send custom error messages to requesting client machines.

An attacker would first need the address of the ISA server and its access policies, and then trick a victim into viewing an affected HTML error page and clicking a link on that page, Microsoft says.

Also, the ISA server would need to be acting as a gateway device to access the Internet directly, something that Microsoft does not recommend, Jones says.

• See more like this:
• flaw,
• vulnerability,
• bug,
• windows,
• Microsoft windows,
• windows xp,
• distributed component object model,
• dcom,
• buffer overrun,
• rpc,
• remote procedure call,
• MS03-026,
• MS03-027,
• MS03-028,
• patch