DCOM Hole That Enabled Blaster Wider Than Originally Thought
- By Scott Bekker
The security hole in the Microsoft DCOM infrastructure in most supported versions of Windows is wider than the company originally feared.
Microsoft released a critical new patch on Wednesday that fixed three new vulnerabilities in the DCOM Remote Procedure Call (RPC) on almost all supported versions of Windows. The patch, MS03-039, supersedes the patch included with bulletin MS03-026, which Microsoft desperately urged corporate and home users to apply in the weeks leading up to the MS Blaster worm. Blaster was written to exploit the hole that Microsoft disclosed and patched in bulletin MS03-026. While Blaster was rated a critical problem, it was actually somewhat worse than the typical critical bulletin because it could be exploited without any user action.
What the new patch means is that there are several vulnerabilities that continue to be open to Blaster-style attacks. So while systems were protected against Blaster by MS03-026, even systems that have that patch won't be protected against any worms written to exploit the new vulnerabilities.
Two of the new vulnerabilities could allow an attacker to take complete control of a user's machine. The new vulnerabilities affect Windows Server 2003, Windows XP, Windows 2000 and Windows NT 4.0. The problem is serious enough that Microsoft went ahead and created a patch for Windows NT 4.0 Workstation and for Windows 2000 with Service Pack 2 even though both are no longer supported.
Microsoft also created a new network scanning tool to help administrators find unpatched systems.
The Microsoft bulletin is available here:
Scott Bekker is editor in chief of Redmond Channel Partner magazine.