Microsoft Windows RPCSS Vulnerability Update
Several groups are working on an exploit for this vulnerability. Expect a working exploit to be published and used within the next few days. We did compile a set of power point slides for IT managers to illustrate the most important facts of this issue:
PDF: http://isc.sans.org/presentations/MS03-039.pdf
Power Point: http://isc.sans.org/presentations/MS03-039.ppt
This vulnerability is NOT PATCHED by the RPC DCOM patch (MS03-026)
The RPCSS patch (MS03-039) has been made available on Sept. 10th (Wednesday). No patch prior to this date fixed this issue. While this is an RPC issue, it is a new and different issue as the one released in July.
You must patch as soon as possible
We expect an exploit in widespread use shortly. At this point, you should be able to patch while assuming that the machine has not yet been compromised. However, within a few days this may no longer be the case and you will have to validate the system's integrity.
The patch for MS03-039 (RPCSS) does include the july patch for MS03-026 (RPC DCOM).
Workarounds
There are two workarounds. You can avoid exploitation by this vulnerability by applying firewall rules. In particular if you are using a host based ("Personal") firewall. For network firewalls, make sure no hosts are moved into the same zone with unpatched machines. We recommend setting up a "laptop quarantine" to avoid the introduction of malware from the outside of the network.
In order to protect unpatched systems, you should close the following ports:
UDP 135, 137, 138, 445
TCP 135, 139, 445, 593
Other ports may be used as well depending on additional components you may have installed. In particular if you are using COM Internet Services (CIS) and RPC over HTTP, you need to close port 80 and 443 inbound.
To disable RPC, see this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;825750
Update Vulnerability Scanners
Scanners for the old RPC vulnerability will not recognize this new vulnerability, and may detect false positives for patched systems. Update to the most recent versions of your scanner.
Links and Further Information
Microsoft Bulletin (Consumer version):
http://www.microsoft.com/security/security_bulletins/ms03-039.asp
Microsoft Bulletin (Technical Details):
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-039.asp
Details about RPC:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/remote_procedure_calls_using_rpc_over_http.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/cis.asp
Scanners:
Microsoft: http://support.microsoft.com/?kbid=827363
Qualys: http://www.qualys.com/RPCSS
Eeye: http://www.eeye.com/html/Research/Tools/RPCDCOM.html
ISS: http://www.iss.net/support/product_utilities/Xfrpcss.php
Foundstone: http://www.foundstone.com/resources/scanning.htm
Symbolic.it (Italian and English): http://www.symbolic.it/Press/press_rpcheck2.html
PDF: http://isc.sans.org/presentations/MS03-039.pdf
Power Point: http://isc.sans.org/presentations/MS03-039.ppt
This vulnerability is NOT PATCHED by the RPC DCOM patch (MS03-026)
The RPCSS patch (MS03-039) has been made available on Sept. 10th (Wednesday). No patch prior to this date fixed this issue. While this is an RPC issue, it is a new and different issue as the one released in July.
You must patch as soon as possible
We expect an exploit in widespread use shortly. At this point, you should be able to patch while assuming that the machine has not yet been compromised. However, within a few days this may no longer be the case and you will have to validate the system's integrity.
The patch for MS03-039 (RPCSS) does include the july patch for MS03-026 (RPC DCOM).
Workarounds
There are two workarounds. You can avoid exploitation by this vulnerability by applying firewall rules. In particular if you are using a host based ("Personal") firewall. For network firewalls, make sure no hosts are moved into the same zone with unpatched machines. We recommend setting up a "laptop quarantine" to avoid the introduction of malware from the outside of the network.
In order to protect unpatched systems, you should close the following ports:
UDP 135, 137, 138, 445
TCP 135, 139, 445, 593
Other ports may be used as well depending on additional components you may have installed. In particular if you are using COM Internet Services (CIS) and RPC over HTTP, you need to close port 80 and 443 inbound.
To disable RPC, see this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;825750
Update Vulnerability Scanners
Scanners for the old RPC vulnerability will not recognize this new vulnerability, and may detect false positives for patched systems. Update to the most recent versions of your scanner.
Links and Further Information
Microsoft Bulletin (Consumer version):
http://www.microsoft.com/security/security_bulletins/ms03-039.asp
Microsoft Bulletin (Technical Details):
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-039.asp
Details about RPC:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/remote_procedure_calls_using_rpc_over_http.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/cis.asp
Scanners:
Microsoft: http://support.microsoft.com/?kbid=827363
Qualys: http://www.qualys.com/RPCSS
Eeye: http://www.eeye.com/html/Research/Tools/RPCDCOM.html
ISS: http://www.iss.net/support/product_utilities/Xfrpcss.php
Foundstone: http://www.foundstone.com/resources/scanning.htm
Symbolic.it (Italian and English): http://www.symbolic.it/Press/press_rpcheck2.html
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments
Anonymous
Dec 3rd 2022
10 months ago
Anonymous
Dec 3rd 2022
10 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
9 months ago