Microsoft and several security experts are warning enterprise administrators to patch their systems against newly discovered buffer overflow and denial-of-service vulnerabilities in Windows Remote Procedure Call (RPC).
In addition to patching, administrators are urged to employ some workarounds until more details emerge about the flaws and whether exploit code is available.
Last month, the Blaster worm roared through a similar critical hole in RPC scanning Windows 2000 and XP machines for port 135. Blaster's proficient scanning generated volumes of traffic that brought some networks to a standstill.
Some of the workarounds include:
- Blocking UDP ports 135, 137, 138 and 445 at the firewall;
- Blocking TCP ports 135, 139, 445 and 593 at the firewall;
- Disable DCOM services;
- Disable RPC over HTTP, which listens on ports 80 and 443;
- Disable COM Internet Services
NT Bugtraq editor Russ Cooper wrote in a post to the mailing list that the RPC over HTTP or Tunneling TCP/IP vectors aren't enabled on many systems and would be unlikely entry points for a worm.
"The vulnerabilities patched by [Microsoft] represent new vectors for a Blaster-like worm to exploit, even if you have applied [patch] MS03-026," Cooper said.
In addition to the patch and several workarounds, Microsoft has also released a network scanning tool to find systems that don't have the MS03-039 patch. Microsoft is encouraging customers to use the tool--available in Microsoft Knowledge Base article 827363--to determine if their systems are patched.
FOR MORE INFORMATION: