Computer Protection Program Berkeley Lab
Computer Protection Program at Berkeley Lab Security
Ernest Orlando Lawrence Berkeley National Laboratory
Emergencies | Site Index | Contact Us
CPP Home
Contacts
Scan Information
Policy Guidelines
System Procedures
Tools & Services
ALERTS 
Recent CPP Actions
News & Articles
CPP Intranet
  ALERTS  
Critical Vulnerabilities  

Microsoft Vulnerability Threatens Windows NT, 2000, XP, and Server 2003 Users <3/04>

A new, extremely serious buffer overflow vulnerability in the Microsoft ASN.1 Library can execute rogue code on your system, enabling the code or an attacker to gain full control of your system, requiring that your system be rebuilt to ensure its integrity. Your system is vulnerable if, when you search for msasn1.dll, you find that this dll (dynamic link library) is in your system. Go here for details. A good way to get the patch on Windows 2000, XP, and Server 2003 systems is to enable Windows Update.

An easy way to ensure that you have this and all previous patches since the last service pack for your system is to download and install the cumulative patch (or "megapatch") for your system. For example, if you are running Windows XP Professional with Service Pack 1, you should download and install the "Windows XP Pro Post SP1 Hot Fixes (Cumulative Patch)." To discover which version of Windows and what Service Pack your system is running, go to Start, go to Run, and then enter winver. For questions, call the Help Desk at 486-HELP or send email to help@lbl.gov.

IMPORTANT NOTICE TO WINDOWS NT/2000/XP USERS
Buffer Overrun In RPCSS Service Could Allow Code Execution (824146) <9/03>

Microsoft just came out with a new bulletin that supercedes the previous one about the RPC DCOM interface vulnerability that the Blaster worm and its variants have been exploiting. It's now necessary to download and install the appropriate fix for your system, which is available at http://www.lbl.gov/ITSD/Security#download to defend against Blaster and its variants even if you have installed the previous hot fix, MS03-026. To determine the type of system you have, go from Start to Run and then enter:

winver

Reboot after the patch has been fully installed. If you have a Windows NT, 2000 or XP system, be sure to do this right away; a new worm that exploits this new vulnerability is extremely likely to strike the Internet soon. If you need help, contact the Help Desk at help@lbl.gov or 486-4357.

<< Back to Alerts Home

Critical Vulnerability in Windows Remote Procedure Call (RPC) Service <7/03>

Windows users — Microsoft recently released a bulletin (MS03-026) that describes a new, very serious vulnerability in the Windows Remote Procedure Call (RPC) service (see Microsoft Security Bulletin MS03-026).

Rated a "critical" vulnerability, it can allow an intruder to send excessive input to the DCOM (Distributed Component Object Model) component interface, causing buffer overflow that results in execution of an unauthorized program with superuser privileges. With superuser privileges, an attacker can not only gain full control of the victim system, but can also launch similar attacks on any other Windows system.

This vulnerability exists in:

  • Windows NT (workstation and server)
  • Windows NT Terminal Server
  • Windows 2000 (all versions)
  • Windows XP, and
  • Windows Server 2003

It does not affect Windows 95, 98 and Me systems, however. To determine what version of Windows your system runs, go from Start to Run and then enter:

winver

Given the number of potentially vulnerable systems here at the Lab and the fact that it can allow unauthorized execution of programs that run as the superuser, this new vulnerability constitutes a very serious threat to our computing and network resources. A worm that exploits this vulnerability is very likely to be written and released soon. A patch is available for every vulnerable system.

If your system is vulnerable, you should immediately patch it by downloading and installing the mega patch for your particular type of system (Windows NT, Windows 2000, and so forth) from http://www.lbl.gov/download/ This mega patch will correct not only the RPC buffer overflow vulnerability, but also a number of other vulnerabilities.

The threat to unpatched systems is so great, however, that as a precautionary measure the Computer Protection Program is going to block all incoming LBLnet traffic to TCP port 135 (the port that can be used to exploit the vulnerability) at noon, Friday, July 18. Although in
most cases there will be no effect on remote access to Windows systems within the Lab, this may disrupt a few Windows systems' (and possibly also SAMBA clients') access to applications on LBNL servers. Traffic from NERSC, ESnet, and JGI networks will not be blocked. If your system experiences disruption after the new block goes in place at noon, July 18, please contact the LBNL Help Desk at help@lbl.gov or by calling 486-4357.

For questions or for further information send email to cppm@lbl.gov.

<< Back to Alerts Home

 
 

Home | Contacts | Policy Guidelines | System Procedures | Tools & Services | ALERTS | News & Articles