MS warns of widespread Windows vulnerability

Microsoft warned customers about three new security flaws in its products Wednesday, including a buffer overrun in the implementation of a common protocol that could give remote attackers total control over a Windows system.

The critical vulnerability, detailed in security bulletin MS03-026, affects a Windows component called the Distributed Component Object Model (DCOM) interface, which listens for traffic on TCP/IP port 135, Microsoft said. (See

A flaw in the way that DCOM handles messages sent using the Remote Procedure Call (RPC) protocol causes the RPC service to fail when an incorrectly formatted message is received.

RPC is a common protocol that software programs use to request services from other programs running on servers in a networked environment.

Attackers could send malformed messages specifically designed to crash the RPC service, resulting in the attacker's malicious code being run on the vulnerable machine, Microsoft said.

The flaw affects many supported versions of the Windows operating system, ranging from Windows NT 4.0 to Windows XP and Windows Server 2003, Microsoft said.

Any Windows machine on which traffic to port 135 has not been blocked is susceptible to attack, the company warned.

Personal and corporate firewalls typically block traffic on Port 135, protecting those machines from exploitation. However, machines located behind a firewall on corporate LANs and intranets would be vulnerable to internal attack, the company said.

Blocking port 135 on machines connected to a corporate LAN or intranet would prevent those machines from acting as file servers, according to Jeff Jones, senior director of Trustworthy Computing security at Microsoft.

This is the second time this year that Microsoft has issued a critical security bulletin linked to RPC. In March, the company warned of a flaw in Windows' implementation of RPC that could enable attackers to launch denial of service attacks against machines running Windows.

So widespread was that problem that Microsoft told customers that it would not be able to release a patch for systems running NT 4.0.

For the latest RPC flaw, an NT 4.0 patch is available, Jones said.

The latest RPC flaw was reported to the company in late June by an independent security consulting company called The Last Stage of Delirium Research Group.

The problem failed to get noticed internally because a tool that would have found the problem had not been integrated into automated code review tools that Microsoft uses to locate vulnerabilities, Jones said.

In addition, an internal review of the RPC code following that announcement didn't unearth the latest flaw because the two vulnerabilities were located in different modules of code, both relating to RPC, he said.

Microsoft will now be taking a closer look at the Windows component that yielded the latest critical flaw as well as all similar components, Jones said.

Asked whether the vulnerability was easy to take advantage of, Jones noted that it had existed in operating systems as far back as NT 4.0 and had not yet been detected by Microsoft or by the hacking community.

"There were easier ones to find that people did find sooner," he said.

In addition to the RPC vulnerability, Microsoft warned of two other security flaws, both rated "Important" by the company.

According to bulletin MS03-027, an unchecked buffer in a function used by the Windows XP desktop could enable an attacker to use a specially crafted configuration file to crash a Windows system and potentially execute code on the system.

Only machines running Windows XP Service Pack 1 are affected by the vulnerability, and attackers would be limited to the current Windows user's level of system access. (See

In MS03-028, the Redmond, Washington company warned of a vulnerability in its Internet Security and Acceleration (ISA) Server 2000 that could enable an attacker to use an ISA server to send malicious code to another user.

The flaw affects HTML error pages used by ISA Server to send customized error messages to requesting client machines.

An attacker would first have to know the address of the ISA server and its access policies and be able to trick a victim into viewing an affected HTML error page and clicking a link on that page, Microsoft said.

In addition, the ISA Server would need to be acting as a gateway device to access the Internet directly, something that Microsoft does not recommend, Jones said. (See

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?