Update:
A new worm, the Blaster
Worm, has exploited the RPC vulnerability.
How to Install the Latest Patch. If
your system is vulnerable (you don't have the latest
Windows patches), you should immediately
patch it by downloading and installing the latest Security/Service
patch for your particular type of system (Windows NT,
Windows 2000, and so forth) from http://www.lbl.gov/download/
(under "Security/Service Packs"). This service
patch will correct not only the RPC buffer overflow
vulnerability, but also a number of other vulnerabilities
If you've never installed a patch before, see How
to Download the Latest Windows NT, Windows 2000, and
Windows XP Systems Security Patches.
How to Recover from Blaster. If you
become infected with the Blaster Worm, read Recovering
from MS Blaster for instructions on recovering from
Blaster, the MSBlaster Removal Tool, and the appropriate
patches for your system. |
Windows users — Microsoft recently released a bulletin
(MS03-026) that describes a new, very serious vulnerability
in the Windows Remote Procedure Call (RPC) service (see Microsoft
Security Bulletin MS03-026).
Rated a "critical" vulnerability, it can allow
an intruder to send excessive input to the DCOM (Distributed
Component Object Model) component interface, causing buffer
overflow that results in execution of an unauthorized program
with superuser privileges. With superuser privileges, an attacker
can not only gain full control of the victim system, but can
also launch similar attacks on any other Windows system.
This vulnerability is very serious because of the number
of potentially vulnerable systems here at the Lab and the
fact that the RPC vulnerability can allow unauthorized execution
of programs that run as the superuser, this new vulnerability
constitutes a very serious threat to our computing and network
resources.
The RPC vulnerability exists in:
- Windows NT (workstation and server)
- Windows NT Terminal Server
- Windows 2000 (all versions)
- Windows XP, and
- Windows Server 2003
It does not affect Windows 95, 98 and Me
systems, however. To determine what version of Windows your
system runs, go from Start to Run and then enter:
winver
The threat to unpatched systems was considered so great that
as a precautionary measure the Computer Protection Program
blocked all incoming LBLnet traffic to TCP port 135 (the port
that can be used to exploit the vulnerability) on July 18,
2003. Although in most cases there is no effect on remote
access to Windows systems within the Lab, this may disrupt
a few Windows systems' (and possibly also SAMBA clients')
access to applications on LBNL servers. Traffic from NERSC,
ESnet, and JGI networks will not be blocked. If your system
experienced disruption after the new block, please contact
the LBNL Help Desk at help@lbl.gov
or by calling 486-4357.
For questions or for further information, call Gene Schultz
of the Computer Protection Program at 495-2640 or send email
to eeschultz@lbl.gov.
|
