MS warns of widespread Windows vulnerability

Microsoft warned customers about three new security flaws in its products Wednesday, including a buffer overrun in the implementation of a common protocol that could give remote attackers total control over a Windows system.

The critical vulnerability, detailed in security bulletin MS03-026, affects a Windows component called the Distributed Component Object Model (DCOM) interface, which listens for traffic on TCP/IP port 135, Microsoft said. (See

A flaw in the way that DCOM handles messages sent using the Remote Procedure Call (RPC) protocol causes the RPC service to fail when an incorrectly formatted message is received.

RPC is a common protocol that software programs use to request services from other programs running on servers in a networked environment.

Attackers could send malformed messages specifically designed to crash the RPC service, resulting in the attacker's malicious code being run on the vulnerable machine, Microsoft said.

The flaw affects many supported versions of the Windows operating system, ranging from Windows NT 4.0 to Windows XP and Windows Server 2003, Microsoft said.

Any Windows machine on which traffic to port 135 has not been blocked is susceptible to attack, the company warned.

Personal and corporate firewalls typically block traffic on Port 135, protecting those machines from exploitation. However, machines located behind a firewall on corporate LANs and intranets would be vulnerable to internal attack, the company said.

Blocking port 135 on machines connected to a corporate LAN or intranet would prevent those machines from acting as file servers, according to Jeff Jones, senior director of Trustworthy Computing security at Microsoft.

This is the second time this year that Microsoft has issued a critical security bulletin linked to RPC. In March, the company warned of a flaw in Windows' implementation of RPC that could enable attackers to launch denial of service attacks against machines running Windows.

So widespread was that problem that Microsoft told customers that it would not be able to release a patch for systems running NT 4.0.

For the latest RPC flaw, an NT 4.0 patch is available, Jones said.

The latest RPC flaw was reported to the company in late June by an independent security consulting company called The Last Stage of Delirium Research Group.

The problem failed to get noticed internally because a tool that would have found the problem had not been integrated into automated code review tools that Microsoft uses to locate vulnerabilities, Jones said.

In addition, an internal review of the RPC code following that announcement didn't unearth the latest flaw because the two vulnerabilities were located in different modules of code, both relating to RPC, he said.

Microsoft will now be taking a closer look at the Windows component that yielded the latest critical flaw as well as all similar components, Jones said.

Asked whether the vulnerability was easy to take advantage of, Jones noted that it had existed in operating systems as far back as NT 4.0 and had not yet been detected by Microsoft or by the hacking community.

"There were easier ones to find that people did find sooner," he said.

In addition to the RPC vulnerability, Microsoft warned of two other security flaws, both rated "Important" by the company.

According to bulletin MS03-027, an unchecked buffer in a function used by the Windows XP desktop could enable an attacker to use a specially crafted configuration file to crash a Windows system and potentially execute code on the system.

Only machines running Windows XP Service Pack 1 are affected by the vulnerability, and attackers would be limited to the current Windows user's level of system access. (See

In MS03-028, the Redmond, Washington company warned of a vulnerability in its Internet Security and Acceleration (ISA) Server 2000 that could enable an attacker to use an ISA server to send malicious code to another user.

The flaw affects HTML error pages used by ISA Server to send customized error messages to requesting client machines.

An attacker would first have to know the address of the ISA server and its access policies and be able to trick a victim into viewing an affected HTML error page and clicking a link on that page, Microsoft said.

In addition, the ISA Server would need to be acting as a gateway device to access the Internet directly, something that Microsoft does not recommend, Jones said. (See

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?