When Microsoft released the first warning about RPC vulnerabilities on July 16, 2003 in security bulletin MS03-026, it took virus writers about 26 days to get the first version of the Blaster worm onto the wires (see Ed Hurley's excellent news story on this subject. By mid-September, we've seen six or more variants of the Blaster worm; in addition, the Welchia and Nachi worms have exploited the same vulnerability.
On September 10, 2003, Microsoft released security bulletin MS03-039, entitled "Buffer Overrun In RPCSS Service Could Allow Code Execution," which essentially documents more problems with RPC code in the same area of code that led to MS03-026 and subsequent infections. Security and virus experts have been quick to note that because existing Blaster, Nachi and Welchia code can be easily altered to exploit these new vulnerabilities, new worms or other malware that exploits these vulnerabilities could appear in days, not weeks.
How can organizations head off such attacks? Given that the last round of exploits compromised over half a million systems and networks, here's the expert consensus on how to fend future RPC exploits off.
- Microsoft makes three entirely sound recommendations that all savvy system administrators would be wise to heed, entitled "Three steps to make sure your PC is protected"
- Use an Internet firewall: properly installed, configured and updated this should stymie most known attacks.
- Get computer updates: applying Microsoft and other patches once they're made available will completely foil the RPC (and most other) exploits
- Use up-to-date antivirus software: screening incoming e-mail attachments, files, and other sources of incoming data blocks most potential infections.
- Block ports associated with how Windows uses RPC—including UDP ports, 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593 at the firewall.
- Disable COM Internet services (CIS) and RCP over HTTP, which listen on ports 80 and 443, if they're not used.
- Perform free, general security scans like those available from GFI Languard, Steve Gibson Research, or SecuritySpace.com. These can help pinpoint potential vulnerabilities and often suggest ways to close them.
Most experts agree that those affected by Blaster or related worms got hit because they hadn't gotten around to installing necessary patches and fixes. This time, get it done ASAP and avoid unnecessary and unwanted exposure.
Thomas Alexander Lancaster IV is a consultant and author with over 10 years experience in the networking industry, focused on Internet infrastructure.
This was first published in September 2003