BindView RAZOR Team Creates Rapid Fire Vulnerability Check for RPC Interface Buffer Overflow.Business Editors/High-Tech Writers HOUSTON--(BUSINESS WIRE)--July 18, 2003 What BindView's RAZOR Rapid Response Team has created updates to detect a newly identified critical vulnerability. Microsoft Corporation (company) Microsoft Corporation - The biggest supplier of operating systems and other software for IBM PC compatibles. Software products include MS-DOS, Microsoft Windows, Windows NT, Microsoft Access, LAN Manager, MS Client, SQL Server, Open Data Base Connectivity (ODBC), MS Mail, has announced that all Windows NT-based operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. are potentially vulnerable to a new Remote Procedure Calls (RPC (Remote Procedure Call) A programming interface that allows one program to use the services of another program in a remote machine. The calling program sends a message and data to the remote program, which is executed, and results are passed back to the calling ) interface buffer overflow A common cause of malfunctioning software. If the amount of data written into a buffer exceeds the size of the buffer, the additional data will be written into adjacent areas, which could be buffers, constants, flags or variables. that allows attackers who can access the Distributed Component Object Model (programming) Distributed Component Object Model - (DCOM) Microsoft's extension of their Component Object Model (COM) to support objects distributed across a network. DCOM has been submitted to the IETF as a draft standard. (DCOM (Distributed Component Object Model) Formerly Network OLE, it is Microsoft's technology for distributed objects. DCOM is based on COM, Microsoft's component software architecture, which defines the object interfaces. ) interface to gain full control of the target machine. Within 24 hours, BindView developed checks to identify which systems were vulnerable, enabling customers to determine which systems to patch and to eliminate the vulnerability. Customers running bv-Control for Windows and bv-Control for Internet Security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. can take immediate protective action. BindView customers who use these Vulnerability Management solutions and BindView's Rapid Fire Update service will have immediate access to the queries and updates via automatic distribution. Customers who use these solutions but do not use BindView's Rapid Fire Update service may download the new updates over the Web at http://www.bindview.com. After running the queries, customers may see vulnerable systems in their environments. Normally, the RPC resides on TCP (1) (Transmission Control Protocol) The reliable transport protocol within the TCP/IP protocol suite. TCP ensures that all data arrive accurately and 100% intact at the other end. port 135; however, it sometimes can be accessed through ports 139, 445, 593 and 80. Web servers with COM Internet Services installed and enabled are vulnerable via port 80. Who Is At Risk Microsoft has announced that all systems running Windows NT 4.0, Windows NT 4.0 Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003 are vulnerable. Most of these systems, however, will not be exploitable via the Internet. Access to RPC services is typically restricted by standard firewall configurations. Those enterprises protected by firewalls may still be vulnerable to attacks from inside the firewall or from outsiders with the means to bypass the firewall via VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. or dial-up for example. Due to the seriousness of this vulnerability, customers should immediately verify that they are blocking access to ports 135, 139, 445 and 593 from the Internet to all systems under their control. Additionally, any systems with COM Internet Services installed and enabled should be immediately removed from the network and patched before access is restored. After running the bv-Control queries to locate the vulnerable systems, the Microsoft patch should be installed as quickly as possible. BindView has determined that systems with COM Internet Services installed and enabled are most vulnerable. Within 24 hours of the public release of the information, the BindView RAZOR team developed scripts to randomly sample IIS (Internet Information Services) Microsoft's Web server. IIS runs under the server versions of Windows, adding HTTP server capability to the Windows operating system. servers on the Internet and to determine the percentage of servers that are potentially vulnerable. Using this algorithm, BindView RAZOR members detected that only a small percentage of IIS servers are at risk from attack via the Internet. However, BindView encourages customers to check all systems to ensure the security of their business-critical IT infrastructures. For More Information More information about this can be found at http://www.lsd-pl.net/special.html and at http://www.microsoft.com/technet/security/bulletin/MS03-06.asp. Commentary on the RPC Interface Buffer Overrun Vulnerability BindView RAZOR Team experts are available to discuss this new vulnerability and share further insight into organizations most at risk, potential outcomes of an attack, as well as additional ways to secure enterprise IT infrastructures. Experts can also discuss the growing number of system vulnerabilities that have been identified in the past several months. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion