BindView RAZOR Team Creates Rapid Fire Vulnerability Check for RPC Interface Buffer Overflow.Business Editors/High-Tech Writers HOUSTON--(BUSINESS WIRE)--July 18, 2003 What BindView's RAZOR Rapid Response Team has created updates to detect a newly identified critical vulnerability. Microsoft Corporation has announced that all Windows NT-based operating systems are potentially vulnerable to a new Remote Procedure Calls (RPC) interface buffer overflow A common cause of malfunctioning software. If the amount of data written into a buffer exceeds the size of the buffer, the additional data will be written into adjacent areas, which could be buffers, constants, flags or variables. Any aberrant behavior can result when control data, such as a binary flag, is altered erroneously (it only takes one bit!). Various instructions transfer data until a null or return or some other character signals the end of the data string. that allows attackers who can access the Distributed Component Object Model (DCOM) interface to gain full control of the target machine Same as target computer.. Within 24 hours, BindView developed checks to identify which systems were vulnerable, enabling customers to determine which systems to patch and to eliminate the vulnerability. Customers running bv-Control for Windows and bv-Control for Internet Security can take immediate protective action. BindView customers who use these Vulnerability Management solutions and BindView's Rapid Fire Update service will have immediate access to the queries and updates via automatic distribution. Customers who use these solutions but do not use BindView's Rapid Fire Update service may download the new updates over the Web at http://www.bindview.com. After running the queries, customers may see vulnerable systems in their environments. Normally, the RPC resides on TCP port 135; however, it sometimes can be accessed through ports 139, 445, 593 and 80. Web servers with COM Internet Services installed and enabled are vulnerable via port 80 (1) The default IP port number used by Web servers for Web (HTTP) transactions. Secure HTTP (SHTTP) transactions are handled by port 443. Requests that come into the server at port 80 often result in returning an HTML page to the browser. Port 80 requests may also call a CGI script, ISAPI or ASP process, a server-side include (SSI) or a Java servlet, all of which perform some process in the server and then typically return an HTML page with the results.. Who Is At Risk Microsoft has announced that all systems running Windows NT 4.0, Windows NT 4.0 Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003 are vulnerable. Most of these systems, however, will not be exploitable via the Internet. Access to RPC services is typically restricted by standard firewall configurations. Those enterprises protected by firewalls may still be vulnerable to attacks from inside the firewall or from outsiders with the means to bypass the firewall via VPN or dial-up for example. Due to the seriousness of this vulnerability, customers should immediately verify that they are blocking access to ports 135, 139, 445 and 593 from the Internet to all systems under their control. Additionally, any systems with COM Internet Services installed and enabled should be immediately removed from the network and patched before access is restored. After running the bv-Control queries to locate the vulnerable systems, the Microsoft patch should be installed as quickly as possible. BindView has determined that systems with COM Internet Services installed and enabled are most vulnerable. Within 24 hours of the public release of the information, the BindView RAZOR team developed scripts to randomly sample IIS servers on the Internet and to determine the percentage of servers that are potentially vulnerable. Using this algorithm, BindView RAZOR members detected that only a small percentage of IIS servers are at risk from attack via the Internet. However, BindView encourages customers to check all systems to ensure the security of their business-critical IT infrastructures. For More Information More information about this can be found at http://www.lsd-pl.net/special.html and at http://www.microsoft.com/technet/security/bulletin/MS03-06.asp. Commentary on the RPC Interface Buffer Overrun Vulnerability BindView RAZOR Team experts are available to discuss this new vulnerability and share further insight into organizations most at risk, potential outcomes of an attack, as well as additional ways to secure enterprise IT infrastructures. Experts can also discuss the growing number of system vulnerabilities that have been identified in the past several months. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion