Microsoft Corp. on Wednesday warned users of three newly-identified Windows flaws that could allow attackers to virtually take over users’ machines and launch denial of service (DoS) attacks.
Two flaws, listed as critical, are buffer overruns, which in essence overload PCs with data and enable attackers to take over the machines. The third is a DoS flaw that affects the Remote Procedure Call (RPC), a protocol used by the Windows operating system.
According to the Microsoft Security Bulletin MS03-039, if an attacker successfully exploits these vulnerabilities, he or she would be able to run code with local system privileges on affected systems, meaning the attacker could install or delete programs and change, delete or view data. (Please see http://www.microsoft.com/security/security_bulletins/ms03-039.asp.)
Affected software includes Windows NT Workstation 4.0, NT Server 4.0 and Terminal Server Edition, along with Windows 2000, Windows XP and Windows Server 2003.
The security holes are “very similar” to a vulnerability disclosed in July in bulletin MS03-026, according to Jeff Jones, senior director of Trustworthy Computing security at Microsoft. (Please see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp.)
Code to exploit that vulnerability appeared on the Internet shortly after the release of the MS03-026 security bulletin. Within weeks, an Internet worm using that exploit code, W32.Blaster, was released, infecting hundreds of thousands of computers worldwide. [Please see Feared RPC worm starts to spread.]
The patch released Wednesday also covers the earlier RPC hole and supersedes that earlier patch. Microsoft now recommends customers apply MS03-039 instead of the MS03-026 patch, Jones said.
Microsoft is recommending users of affected software download the patch immediately and beef up firewall configurations to help protect networks from remote attacks.
According to the CERT Coordination Center, a major reporting centre for Internet security problems located at the Software Engineering Institute at Carnegie Mellon University in Pittsburgh, users may limit exposure to attacks by blocking access to TCP and UDP ports 135, 139 and 445 from outside the network perimeter. However, attackers within the network perimeter would still be able to exploit the vulnerability.
While Microsoft has not yet reported any exploitation of the vulnerabilities, Brampton, Ont.-based Nortel Networks issued its own advisory Wednesday to customers warning that some of its offerings may also be at risk.
The advisory stated that “a limited number of Nortel Networks products and solutions are potentially affected by this issue, and the nature of these products and solutions tends to place them within a private network. Accordingly, if network perimeter protection is employed as recommended by both CERT and Microsoft (i.e. blocking access to TCP & UDP ports 135, 139, and 445) these products and solutions should not be vulnerable to attacks from the public Internet.”
Vulnerable Nortel products include Symposium including TAPI ICM, CallPilot, Business Communications Manager, International Centrex-IP, and Periphonics with OSCAR Speech Server. At press time, the following products were still under review from Nortel: Alteon Security Manager; Network Configuration Manager for BCM; Preside Site Manager; and Preside System Manager Interface.
Network Associates Inc. also issued a notice Wednesday informing its users that its McAfee Entercept line is able to identify and protect against buffer overrun vulnerabilities, including the latest Microsoft flaws. According to the company, Entercept disallows attack code from being executed from writable memory as a result of buffer overruns and does so even without the newest patch installed.
-With files from IDG News Service