CRITICAL: Buffer Overrun In RPCSS Service Could Allow Code Execution

dahamsta · 10-09-2003 9:58pm #1

Sigh. Off you go to Windows Update then.

Microsoft Security Bulletin MS03-039

Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)

The fix provided by this patch supersedes the one included in Microsoft Security Bulletin MS03-026 and includes the fix for the security vulnerability discussed in MS03-026, as well as 3 newly discovered vulnerabilities.

Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly access services on another computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.

There are three newly identified vulnerabilities in the part of RPCSS Service that deals with RPC messages for DCOM activation— two that could allow arbitrary code execution and one that could result in a denial of service. The flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the Distributed Component Object Model (DCOM) interface within the RPCSS Service. This interface handles DCOM object activation requests that are sent from one machine to another.

An attacker who successfully exploited these vulnerabilities could be able to run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

To exploit these vulnerabilities, an attacker could create a program to send a malformed RPC message to a vulnerable system targeting the RPCSS Service.

Lemming · 10-09-2003 10:03pm

For the love of ...... :rolleyes:

how many does this make the count over the last 3 weeks?

Not exactly M$' finest hour in "trustworthy computing" is it?

ColinM · 10-09-2003 10:23pm

"billy gates why do you make this possible ? Stop making money and fix your software!!" ... before it hits the shops preferably.

Capt'n Midnight · 10-09-2003 10:43pm

Affected Software:

Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server® 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

Reboot needed: Yes
99.999% reliability means 5 minutes down time per year - the number of recent reboots means this is impossible without clusters in the M$ world

http://support.microsoft.com/?kbid=824146

Has any one got a good cheat sheat on SUS ???

dahamsta · 10-09-2003 11:32pm

Originally posted by ColinM
"billy gates why do you make this possible ? Stop making money and fix your software!!" ... before it hits the shops preferably.

Which one was that in, Blaster? Stupid comment. There's no reason he couldn't do both.

adam

Capt'n Midnight · 11-09-2003 8:49am

http://www.microsoft.com/downloads/details.aspx?FamilyId=13AE421B-7BAB-41A2-843B-FAD838FE472E&displaylang=en

Download of tool to see which PC's on lan are patched or not

Usage : http://support.microsoft.com/default.aspx?kbid=827363
At DOS PROMPT
eg: kb824146scan 10.1.1.1/24

=========================================
Deployment Information
To install the security patch without any user intervention, use the following command line: without forcing the computer to restart, use the following command line:

WindowsXXXXXX-kb824146-x86-enu /u /q /z

For information about how to deploy this security patch with Microsoft Software Update Services, visit the following Microsoft Web site:
http://www.microsoft.com/windows2000/windowsupdate/sus/susoverview.asp

Again anyone got a quick cheat cheat for SUS ??

fisty · 11-09-2003 9:29am

here we go again...

:rolleyes:

Capt'n Midnight · 11-09-2003 10:45am

Just what you need - the August patch did not fix all the holes...
(applies to windows from 98se to 2003-64bit if you have 5.01sp3 to IE6sp3 - the other versions can't be regarded as safe since not tested.)

From their sites:
This vulnerability affects computers that have Microsoft® Internet Explorer installed. (You do not have to be using Internet Explorer as your Web browser to be affected by this issue.)

V1.3 (September 8, 2003): Added information regarding reports that the patch provided does not properly correct the Object Type Vulnerability (CAN-2002-0532)

Microsoft is investigating these reports and will re-issue this bulletin with an updated patch that corrects these problems.

The current status of this IE patch - fixes some other holes...
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-032.asp

Impact of vulnerability: Two new vulnerabilities, the most serious of which could enable an attacker to run arbitrary code on a user’s system if the user either browsed to a hostile Web site or opened a specially crafted HTML-based email message.

Maximum Severity Rating: Critical
BR549.DLL Buffer Overrun
Browser Cache Script Execution in My Computer Zone
Object Tag Vulnerability

CRITICAL: Buffer Overrun In RPCSS Service Could Allow Code Execution

Comments