From: "Alexander G. Chamandy"
Subject: DHS ADVISORY - WINDOWS 
Date: Wednesday, July 30, 2003 6:49 PM

Potential For Significant Impact On Internet Operations Due To Vulnerability
In Microsoft Operating Systems (UPDATED)

Original Date July 24, 2003
Updated July 30, 2003

SYSTEMS AFFECTED: Computers using the following operating systems:

Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

OVERVIEW
THIS IS AN UPDATE TO THE DEPARTMENT OF HOMELAND SECURITY (DHS) JULY 24, 2003
ADVISORY ON MICROSOFT OPERATING SYSTEMS. The DHS/ Information Analysis and
Infrastructure Protection (IAIP) National Cyber Security Division (NCSD) is
issuing this advisory in consultation with the Microsoft Corporation to
heighten awareness of potential Internet disruptions resulting from the
possible spread of malicious software exploiting a vulnerability in popular
Microsoft Windows operating systems.

DHS expects that exploits are being developed for malicious use. (UPDATE:
SEVERAL WORKING EXPLOITS ARE NOW IN WIDESPREAD DISTRIBUTION ON THE INTERNET.
THESE EXPLOITS PROVIDE FULL REMOTE SYSTEM LEVEL ACCESS TO VULNERABLE
COMPUTERS.) Two additional factors are causing heightened interest in this
situation: the affected operating systems are in wide spread use, and
exploitation of the vulnerability could permit the execution of arbitrary
code. DHS and Microsoft are concerned that a properly written exploit could
rapidly spread on the Internet as a worm or virus in a fashion similar to
Code Red or Slammer. (UPDATE: NO WORM CODE HAS BEEN REPORTED; HOWEVER, AN
INTERNET-WIDE INCREASE IN SCANNING FOR VULNERABLE COMPUTERS OVER THE PAST
SEVERAL DAYS REINFORCES THE URGENCY FOR UPDATING AFFECTED SYSTEMS.)

IMPACT
The recently announced Remote Procedure Call (RPC) vulnerability in
computers running Microsoft Windows operating systems listed above could be
exploited to allow the execution of arbitrary code or could cause a denial
of service state in an unprotected computer. Because of the significant
percentage of Internet-connected computers running Windows operating systems
and using high speed connections (DSL or cable for example), the potential
exists for a worm or virus to propagate rapidly across the Internet carrying
payloads that might exploit other known vulnerabilities in switching
devices, routers, or servers.

DETAILS
There is a vulnerability in the part of RPC that deals with message exchange
over TCP/IP. The vulnerability results from the handling of malformed
messages. This particular vulnerability affects a Distributed Component
Object Model (DCOM) interface with RPC, which listens on RPC enabled ports.
This interface handles DCOM object activation requests that are sent by
client machines (such as Universal Naming Convention (UNC) paths) to the
server. An attacker who successfully exploited this vulnerability would be
able to run code with local system privileges on an affected system. The
attacker would be able to take any action on the system, including
installing programs, viewing changing or deleting data, or creating new
accounts with full privileges.

RECOMMENDATION
Due to the seriousness of the RPC vulnerability, DHS and Microsoft encourage
system administrators and computer owners to take this opportunity to update
vulnerable versions of Microsoft Windows operating systems as soon as
possible. Microsoft updates, workarounds, and additional information are
available at

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bull
etin/MS03-026.asp

DHS and Microsoft further suggest that Internet Service Providers and
network administrators consider blocking TCP and UDP ports 135, 139, and 445
for inbound connections unless absolutely needed for business or operational
purposes.

Advisories recommend the immediate implementation of protective actions,
including best practices when available. DHS encourages recipients of this
advisory to report information concerning suspicious or criminal activity to
law enforcement or a DHS watch office.