Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 8th, 2008, 5:50am
   Mischel Internet Security Forum
   Internet Security
   News (Moderators: Helena, Gavin_Coe, Magnus)
   Microsoft Security Bulletin MS03-039		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Microsoft Security Bulletin MS03-039  (Read 1505 times)
MegaHertz
Senior Member
****




No one listens until you make a mistake.

   


Gender: male
 Posts: 302
Microsoft Security Bulletin MS03-039
« on: Sep 11th, 2003, 7:40pm »		 Quote Quote  Modify Modify
Originally posted: September 10, 2003
 
Summary
Who should read this bulletin: Users running Microsoft ® Windows ®  
 
Impact of vulnerability: Three new vulnerabilities, the most serious of which could enable an attacker to run arbitrary code on a user’s system.  
 
Maximum Severity Rating: Critical
 
Recommendation: System administrators should apply the security patch immediately  
 
Protect your PC:
Additional information on how you can help protect your PC is available at the following locations:  
 
End Users can visit http://www.microsoft.com/protect  
IT Professionals can visit http://www.microsoft.com/technet/security/tips/pcprotec.asp  
 
Affected Software:
 
Microsoft Windows NT Workstation 4.0  
Microsoft Windows NT Server® 4.0  
Microsoft Windows NT Server 4.0, Terminal Server Edition  
Microsoft Windows 2000  
Microsoft Windows XP  
Microsoft Windows Server 2003  
Not Affected Software:  
Microsoft Windows Millennium Edition  
 
Technical details
Technical description:  
 
 
The fix provided by this patch supersedes the one included in Microsoft Security Bulletin MS03-026 and includes the fix for the security vulnerability discussed in MS03-026, as well as 3 newly discovered vulnerabilities.  
 
Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly access services on another computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.  
 
There are three newly identified vulnerabilities in the part of RPCSS Service that deals with RPC messages for DCOM activation— two that could allow arbitrary code execution and one that could result in a denial of service. The flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the Distributed Component Object Model (DCOM) interface within the RPCSS Service. This interface handles DCOM object activation requests that are sent from one machine to another.  
 
An attacker who successfully exploited these vulnerabilities could be able to run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.  
 
To exploit these vulnerabilities, an attacker could create a program to send a malformed RPC message to a vulnerable system targeting the RPCSS Service.  
Microsoft has released a tool that can be used to scan a network for the presence of systems which have not had the MS03-039 patch installed. More details on this tool are available in Microsoft Knowledge Base article 827363. This tool supersedes the one provided in Microsoft Knowledge Base article 826369. If the tool provided in Microsoft Knowledge Base Article 826369 is used against a system which has installed the security patch provided with this bulletin, the superseded tool will incorrectly report that the system is missing the patch provided in MS03-026. Microsoft encourages customers to run the latest version of the tool available in Microsoft Knowledge Base article 827363 to determine if their systems are patched.  
 
Mitigating factors:
 
Firewall best practices and standard default firewall configurations can help protect networks from remote attacks originating outside of the enterprise perimeter. Best practices recommend blocking all ports that are not actually being used. For this reason, most systems attached to the Internet should have a minimal number of the affected ports exposed.
For more information about the ports used by RPC, visit the following Microsoft Web site: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpi p/part4/tcpappc.asp  
 
Severity Rating:  Windows NT Workstation 4.0 Windows NT Server 4.0 Windows NT Server 4.0, Terminal Server Edition Windows 2000 Windows XP Windows Server 2003  
Buffer Overrun Vulnerabilities Critical Critical Critical Critical Critical Critical  
Denial of Service Vulnerability None None None Important None None  
Aggregate Severity of all Vulnerabilities Critical Critical Critical Critical Critical Critical  
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.  
 
Vulnerability identifier:  
Buffer Overrun: CAN-2003-0715
 
Buffer Overrun: CAN-2003-0528
 
Denial of Service: CAN-2003-0605  
 
Tested Versions:
Microsoft tested Windows Millennium Edition, Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0, Terminal Server Edition, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
 
End User Bulletin:
An end user version of this bulletin is available at:  
 
http://www.microsoft.com/security/security_bulletins/ms03-039.asp.
IP Logged
"It IS As Bad As You Think, and They ARE Out to Get You."
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Microsoft Security Bulletin MS03-039
« Reply #1 on: Sep 16th, 2003, 9:41pm »		 Quote Quote  Modify Modify
I've just pushed this out over my curriculum network, since the city's WAN tec-set were almost melting the phone trying to get all schools in Leeds patched. Ain't MSI great? Just one push and it's done.
 
However, the tech guys insisted that the network was disconnected at the back of our router (Cisco 2600) before this was done, and I wasn't allowed to connect until it was finished. Interesting quandary, trying to download without a net link... especially with 3 platforms to support.
 
Still, 'tis done. Might just catch my breath before the next panic!
IP Logged
... but crap arrives pretty much straight away.
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2039
Re: Microsoft Security Bulletin MS03-039
« Reply #2 on: Sep 17th, 2003, 2:35am »		 Quote Quote  Modify Modify
Not Affected Software:  
Microsoft Windows Millennium Edition  
 
To bad you guys are using those terrible new operating systems, instead of a reliable one Wink
IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
maxqnz
Newbie
*




Walekam salaam, noho ora mai!

   
WWW  

Posts: 26
Re: Microsoft Security Bulletin MS03-039
« Reply #3 on: Sep 17th, 2003, 3:13am »		 Quote Quote  Modify Modify
I saw this when it came it out, and it finally pushed me over the edge - I've installed SP4 for my Win2K. So far, so  good.
IP Logged
ओ पालनहारे, तुमरे बिन हमरा कौनों नहीं
What's a pieriansipist?
Walter
Veteran
*****





   


Gender: male
 Posts: 573
Re: Microsoft Security Bulletin MS03-039
« Reply #4 on: Sep 17th, 2003, 3:31am »		 Quote Quote  Modify Modify
on Sep 17th, 2003, 2:35am, Jamming wrote:
Not Affected Software:  
Microsoft Windows Millennium Edition  
 
To bad you guys are using those terrible new operating systems, instead of a reliable one Wink

Cool Cool.
It brings a smile to the face when those of us using a notoriously "buggy" system - like WinME - are spared the exploits to which other, more "stable," systems are subjected. Grin
 
« Last Edit: Sep 17th, 2003, 3:32am by Walter » IP Logged
Strange as it may seem, no amount of learning can cure stupidity, and formal education positively fortifies it. S Vizinczey
maxqnz
Newbie
*




Walekam salaam, noho ora mai!

   
WWW  

Posts: 26
Re: Microsoft Security Bulletin MS03-039
« Reply #5 on: Sep 17th, 2003, 5:04am »		 Quote Quote  Modify Modify
on Sep 17th, 2003, 3:31am, Walter wrote:

Cool Cool.
It brings a smile to the face when those of us using a notoriously "buggy" system - like WinME - are spared the exploits to which other, more "stable," systems are subjected. Grin
 

 
 
Yes, Walter, and as an act of kindness, we'll brush over the instances where it's the other way around. Remember that what USn's call CFS is called ME in the Commonwealth, so Windows ME was very well named.
IP Logged
ओ पालनहारे, तुमरे बिन हमरा कौनों नहीं
What's a pieriansipist?
Walter
Veteran
*****





   


Gender: male
 Posts: 573
Re: Microsoft Security Bulletin MS03-039
« Reply #6 on: Sep 17th, 2003, 5:46am »		 Quote Quote  Modify Modify
on Sep 17th, 2003, 5:04am, maxqnz wrote:

 
 
Yes, Walter, and as an act of kindness, we'll brush over the instances where it's the other way around. Remember that what USn's call CFS is called ME in the Commonwealth, so Windows ME was very well named.

 Smiley Thanks, max . . .
Random acts of spontaneous kindness are always welcome.  Cool
IP Logged
Strange as it may seem, no amount of learning can cure stupidity, and formal education positively fortifies it. S Vizinczey
redwolfe_98
Veteran
*****





   
Email

Gender: male
 Posts: 560
Re: Microsoft Security Bulletin MS03-039
« Reply #7 on: Sep 18th, 2003, 3:17am »		 Quote Quote  Modify Modify
i believe/feel that win 98se is the best os (of the windows line). i may be missing something, and speaking in ignorance.. Smiley i switched to win xp because it seemed that people who were using win 98 seemed to have problems with programs that were designed to work with both win xp and win 98.   win xp feels like a rock, to me.. i had far less problems/complications when using win 98..win 98 seemed easier to work with..i tried reinstalling win 98 once...i guess i like the gui better with win xp..the audio in win xp is definitely higher fidelity. i have downloaded my firewall and the ms patches to disks, so i hope i can avoid any exposure to those rpc-related threats...
« Last Edit: Sep 18th, 2003, 6:59am by redwolfe_98 » IP Logged
maxqnz
Newbie
*




Walekam salaam, noho ora mai!

   
WWW  

Posts: 26
Re: Microsoft Security Bulletin MS03-039
« Reply #8 on: Sep 18th, 2003, 4:12am »		 Quote Quote  Modify Modify
on Sep 18th, 2003, 3:17am, redwolfe_98 wrote:
i believe/feel that win 98se is the best os (of the windows line). i may be missing something, and speaking in ignorance.. Smiley i switched to win xp because it seemed that people who were using win 98 seemed to have problems with programs that were designed to work with both win xp and win 98.   win xp feels like a rock, to me.. i had far less problems/complications when using win 98..win 98 seemed easier to work with..i tried reinstalling win 98 once...i guess i like the gui better with win xp..the audio in win xp is definitely higher fidelity. i have downloaded my firewall and the ms patches to disks, so i hope i can avoid any exposure the those rpc-related threats...

 
Well, for me, I have never regretted moving from 98SE to W2K. 2K has been very stable, reliable and easy to work with. No more bsods alone has made the switch worthwhile.  
« Last Edit: Sep 18th, 2003, 4:13am by maxqnz » IP Logged
ओ पालनहारे, तुमरे बिन हमरा कौनों नहीं
What's a pieriansipist?
MegaHertz
Senior Member
****




No one listens until you make a mistake.

   


Gender: male
 Posts: 302
Re: Microsoft Security Bulletin MS03-039
« Reply #9 on: Sep 18th, 2003, 4:27am »		 Quote Quote  Modify Modify
on Sep 18th, 2003, 4:12am, maxqnz wrote:

 
Well, for me, I have never regretted moving from 98SE to W2K. 2K has been very stable, reliable and easy to work with. No more bsods alone has made the switch worthwhile.  

Amen!!! Smiley
IP Logged
"It IS As Bad As You Think, and They ARE Out to Get You."
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Microsoft Security Bulletin MS03-039
« Reply #10 on: Sep 19th, 2003, 10:26pm »		 Quote Quote  Modify Modify
Well, I will miss the simplicity of Win98 when I finally let it go soon. Since end of August I've been unable to get anything out of WindowsUpdate (just flashes straight to 100% and gives me an error 0x800A138F, which apparently only relates to higher OS's). I'm guessing that MS has pulled the service - anyone else out there in Win98-land get the same bum rush from MS?
 
Max, let us know if SP4 causes any issues - I know that some of the software we use at school has 'issues' with it that essentially make saved files unusable, until fixes are available. I currently have mostly SP2 (patched) on most PCs, with SP3 on a few that couldn't handle one of the WindowsUpdate, erm, updates.
 
I'm toying with the idea of swallowing pride and putting XP Pro on this PC (but thankfully I can turn the 'jelly-tot' TellyTubby GUI off). The problem is that I have to support both on our end-user systems (XP on laptops, 2K on desktops), so experience could be useful.
IP Logged
... but crap arrives pretty much straight away.
MegaHertz
Senior Member
****




No one listens until you make a mistake.

   


Gender: male
 Posts: 302
Re: Microsoft Security Bulletin MS03-039
« Reply #11 on: Sep 19th, 2003, 11:12pm »		 Quote Quote  Modify Modify
Ian I was having the same problem recently and discovered that it was my HOSTS file blocking the updates. Apparently M$ is using some akami servers for part of the update process. I found the following in the iuident.txt file in my windows update folder.
 
Quote:
[IUServerCache]
ServerCount=4
CDMServerCacheIndex=2
BetaCDMServerCacheIndex=2
CDMQueryServerIndex=2
CDMBetaQueryServerIndex=2
IU_SiteQueryServerIndex=1
IU_SiteBetaQueryServerIndex=1
DefaultQueryServerIndex=1
AUQueryServerIndex=3
AUBetaQueryServerIndex=3
AUDriverQueryServerIndex=4
AUDriverBetaQueryServerIndex=4
Server1="https.//a248.e.akamai.net/v4.windowsupdate.microsoft.com/getman ifest.asp"
Server2="https.//a248.e.akamai.net/v4.windowsupdate.microsoft.com/consum erdrivers/getmanifest.asp"
Server3="https.//a248.e.akamai.net/v4.windowsupdate.microsoft.com/autoup date/getmanifest.asp"
Server4="https.//a248.e.akamai.net/v4.windowsupdate.microsoft.com/autoup datedrivers/getmanifest.asp

After I renamed my HOSTS file the update process worked flawlessly, well as flawlessly as any M$ software can I suppose.
 
Note: Changed colons after https to periods so the the BB software would not parse the URL's
IP Logged
"It IS As Bad As You Think, and They ARE Out to Get You."
maxqnz
Newbie
*




Walekam salaam, noho ora mai!

   
WWW  

Posts: 26
Re: Microsoft Security Bulletin MS03-039
« Reply #12 on: Sep 19th, 2003, 11:25pm »		 Quote Quote  Modify Modify
on Sep 19th, 2003, 10:26pm, Ian wrote:
Well, I will miss the simplicity of Win98 when I finally let it go soon. Since end of August I've been unable to get anything out of WindowsUpdate (just flashes straight to 100% and gives me an error 0x800A138F, which apparently only relates to higher OS's). I'm guessing that MS has pulled the service - anyone else out there in Win98-land get the same bum rush from MS?
 
Max, let us know if SP4 causes any issues - I know that some of the software we use at school has 'issues' with it that essentially make saved files unusable, until fixes are available. I currently have mostly SP2 (patched) on most PCs, with SP3 on a few that couldn't handle one of the WindowsUpdate, erm, updates.

 
 
 
To SP or not to SP? Aye there's the rub, it seems tyo be very software dependent. I asked around, and got several very positive reports, including one from a sysadmin who swears by SP4. There was a long thread on it in the SecureComp newsgroups when it first came out, and I asked there again before installing. So far, it's been very good to me, but I have heard of DirectX and video problems, and also that "read-only" type problem you refere to. In your position, I would wait, or ask in a specialist newsgroup, perhaps any that have sysadmin their name.  
IP Logged
ओ पालनहारे, तुमरे बिन हमरा कौनों नहीं
What's a pieriansipist?
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Microsoft Security Bulletin MS03-039
« Reply #13 on: Sep 19th, 2003, 11:26pm »		 Quote Quote  Modify Modify
Brilliant! I have a whole host of akamai references in my HOST file - including a248.e.akamai.net and a248.g.akamai.net, which I removed from the list. I also have IE-SpyAD running, so I added these two to the Trusted Zone (like WU is, to save bother) and it overrides the Restricted Zone wildcard setting.
IP Logged
... but crap arrives pretty much straight away.
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register