New Remote Procedure Call Exploit

Microsoft recently posted a security bulletin announcing a patch for Windows NT, Windows 2000, Windows XP and Windows Server 2003 operating systems. This patch corrects a security problem with the remote procedure call (RPC) function. The RPC function permits a remote computer to execute code on another computer. It is strongly recommended that this patch be installed.

We have received reports that may indicate active attempts to exploit computers running the above operating systems that lack the Windows MS03-026 patch.

If you are unsure whether your computer is vulnerable to this RPC exploit, there are free vulnerability scanners available here and here. If you use these scanners, please restrict the use to the computers for which you are responsible.

We are also aware of some unconfirmed reports that this installation of the patch may still leave your computer with vulnerability. Other possible methods to reduce this vulnerability include disabling COM Internet Services on your computer or using hardware or software firewalls to:
  • Block TCP and UDP ports 135 (Remote Procedure Call)
  • Block TCP ports 139 and 445 (NetBIOS)
  • Block TCP port 593 (RPC-over-HTTP)
Of course, the above additional steps should be rigorously tested prior to implementation as some programs/functions you use could require the availability of these services.

Additional reference about this from CERT is also available here.