Windows RPC flaw

More Articles

An attack tool, also known as an autorooter, is being used to compromise Windows servers. The tool can take commands that are sent through Internet relay chat (IRC) channels and is capable of scanning for and compromising systems vulnerable to the highly publicized recent Windows remote procedure call (RPC) vulnerability.

This vulnerability affects almost all versions of Windows and could enable a remote attacker to place and run malicious code on affected machines, giving them total control over the systems according to Microsoft.

After examining a clobbered together exploit package called Worm.Win32.Autorooter, it is obvious where this type of worm is heading. Because it requires no user interaction it is being compared to the buffer overflow vulnerability in Microsoft's Internet Information Server (IIS) that was exploited by the Code Red worm in July of 2001.

The major difference that I see, is that Code Red infected Windows servers only, this exploit has the capability of infecting servers AND workstations alike. Now we are talking millions of potential systems and not thousands.

I have seen a significant level of recon or scanning, since the Distributed Component Object Model (DCOM) exploit was found in the wild on July 25th, which once again brings up my major gripe. The current patching system is broke. What consumers should demand is that software vendors "start writing more secure applications." Only intense pressure from buyers appliance vendors to do the right thing for their customers by taking responsibility for the flaws they are putting in our computers and on our networks. If the Department of Homeland Security wants to improve cyber security it should demand that its vendors deliver secure configurations and automatically deliver patches that work, or pay the costs of cleaning up the messes caused by their failure to do so.

In the mean time, please take these steps to protect your environment. Block TCP port 135 (Windows RPC service), TCP port 139 (Windows NetBIOS network communication) and port 445 (Windows Server Message Block) on your local firewall. And apply the Microsoft patch found in regards to Microsoft Security Bulletin MS03-026: http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Publish your articles, comments, book reviews or opinions here!

More Articles by Michael Desrosiers

Versatile Site Map Generator $59.00
A1 Sitemap Generator

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.