Archives ||About Us || Advertise || Feedback || Subscribe-
Issue of October 2003 

 Home > Security watch
 Print Friendly Page ||  Email this story

Security watch

Vulnerabilities in Microsoft Windows

Microsoft has published a bulletin describing three vulnerabilities that affect numerous versions of Microsoft Windows. Two of these vulnerabilities are remotely exploitable buffer overflows that may allow an attacker to execute arbitrary code with system privileges. The third vulnerability may allow a remote attacker to cause a DoS.


The Microsoft RPCSS Service is responsible for managing Remote Procedure Call (RPC) messages. There are two buffer overflow vulnerabilities in the RPCSS service, which is enabled by default on many versions of Microsoft Windows. These buffer overflows occur in sections of code that handle DCOM activation messages sent to the RPCSS service. Microsoft has also published information regarding a DoS vulnerability in the RPCSS service.

Systems Affected

Microsoft Windows NT Work-station 4.0/NT Server 4.0/Terminal Server Edition / Windows 2000 / Windows XP/Windows Server 2003.


By exploiting either of the buffer overflow vulnerabilities, remote attackers may be able to execute arbitrary code with Local System privileges. By exploiting the DoS vulnerability remote attackers may be able to disrupt the RPCSS service. This may result in general system instability and require a reboot.


Apply a patch from Microsoft

Microsoft has published Microsoft Security Bulletin MS03-039 to address this vulnerability. More information is available at

Block traffic to and from common Microsoft RPC ports

As an interim measure, users can reduce the chance of successful exploitation by blocking traffic to and from well-known Microsoft RPC ports, including Port 135 (tcp/udp) /137 (udp)/138 (udp)/139 (tcp)/445 (tcp/udp)/593 (tcp).

To prevent compromised hosts from contacting other vulnerable hosts, system administrators should filter the ports listed above for both incoming and outgoing traffic.

Disable COM Internet Services and RPC over HTTP

COM Internet Services (CIS) is an optional component that allows RPC messages to be tunneled over HTTP ports 80 and 443. As an interim measure, sites that use CIS may wish to disable it as an alternative to blocking traffic to and from ports 80 and 443.

W32/Sobig.F Worm

A mass mailing worm, referred to as W32/Sobig.F, is spreading on the Internet. New information indicates that this worm has additional capabilities that were not realized at the time it first began propagating.


The W32/Sobig.F worm is an e-mail-borne malicious program with a specially crafted attachment that has a .pif extension. The e-mail messages may appear from random addresses and have subject lines like Re: Thank You!/Thank You!/Your details/Re: Details/Re: Re: My details/Re: Approved/Re: Your application/Re: Wicked screensaver/Re: That movie.

The worm requires a user to execute the malicious attachment either manually or by using an e-mail client that will open the attachment automatically. Upon successful execution, the worm installs itself as C:\%windir%\winppr.exe and also creates the file C:\%windir%\winstt32.dat.

An entry is also added to the Run registry key so that this executable will be run upon system restart. The key installed in HKEY _ LOCAL _ MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run is ScanX with the value "c:\winnt \winppr.exe /sinc". The program then proceeds to scan files with certain extensions (htm, html, dbx, hlp, mht, txt, wab) on the compromised system for valid e-mail addresses, and it uses an internal SMTP engine to e-mail itself to those addresses.

The worm uses the Network Time Protocol (NTP) to determine the current time. The worm also includes code that attempts to contact a list of 20 predefined IP addresses on port 8998/UDP on Fridays and Sundays between 1900 and 2200 UTC. It is believed that a location from which additional code can be downloaded is sent over this channel.


Run and maintain anti-virus product: While an up-to-date anti-virus software package cannot protect against all malicious code, for most users it remains the best first-line of defense against malicious code attacks. Most anti-virus software vendors release frequently updated information, tools, or virus databases to help detect and recover from malicious code, including W32/Sogib.F.

Do not run programs of unknown origin: Never download, install, or run a program unless you know it to be authored by a person or company that you trust. E-mail users should be wary of unexpected attachments. Users of Internet Relay Chat (IRC), Instant Messaging (IM), and file-sharing services should be particularly wary of following links or running software sent to them by other users since these are commonly used methods among intruders attempting to build networks of Distributed Denial-of-Service (DDoS) agents.

Filter network traffic: Sites are encouraged to block network access to the following relevant ports at network borders. This can minimize the potential of DoS attacks originating from outside the perimeter. The specific services that should be blocked include: 123/UDP, 995/UDP, 996/UDP, 997/UDP, 998/UDP, 999/UDP, 8998/UDP

If access cannot be blocked for all external hosts, limit access to only those hosts that require it for normal operation.There is no report of any continued activity related to the "second phase" of the worm's operation, but encourages users to take action to recover their systems. Users need to install anti-virus software, and keep its virus signature files up-to-date.

B u g w a t c h
Malicious August

Symantec Security Response, Asia Pacific, provided an analysis of its August data. August was a month for new malicious threats, many of which feature in the Top Ten Threat list. This is the first time that the Internet community has had to deal with four Category, 3 or 4 worms in the space of eight days. First it was Blaster, then Welchia, then Dumaru, and finally Sobig.F.

Blaster and Welchia, two prominent threats this month, exploited the same Microsoft vulnerability (DCOM RPC). It is interesting to note that Bugbear.B, discovered in June this year, is still the number one threat at the top of the global list and also exploited a known vulnerability (Incorrect MIME Header Can Cause IE to Execute E-mail Attachment).

This trend in exploiting vulnerabilities has reinforced to Internet users the need to keep their security patches up to date. For protection at the desktop, users should ensure they have a firewall and update their anti-virus definitions to ensure that they are protected from these threats.

Symantec's top ten malicious threats

W32.Bugbear.B@mm W32.Blaster.Worm

W32.Blaster.Worm HTML.Redlof.A

W32.Sobig.F@mm W32.Bugbear.B@mm

W32.Klez.H@mm W32.Welchia.Worm

HTML.Redlof.A W32.Sobig.F@mm

W95.Hybris.worm W32.Nolor@mm

W32.Welchia.Worm W32.Klez.H@mm

W32.Bugbear.B.Dam Backdoor.Roxy

W32.Mimail.A@mm W95.Hybris.worm

W32.Spybot.Worm W32.Jeefo

- <Back to Top>-  

Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.