UPDATE: MS Patches Leave Systems Insecure and Break Services

Users are reporting problems with two of Microsoft's recent security hotfixes, which patch problems with Remote Procedure Call (RPC) and Windows file management functions.

On July 16, the company released Microsoft Security Bulletin MS03-026 (Buffer Overrun In RPC Interface Could Allow Code Execution), along with an associated patch for all Windows OSs except Windows 9x. The vulnerability is severe because it could let an intruder execute code of their choice on an unprotected system; the problem could also let an intruder obtain a remote command shell.

Research groups have released demonstration code on the Internet, which increases the risk that someone might launch a wide-scale attack, possibly using worm technology. However, users who block access to ports 135, 137, 139, and 445, and who disable DCOM using dcomcnfg.exe are better protected against attacks. But note that while it was thought that simply disabling DCOM using the dcomcnfg.exe tool would help prevent attacks, this is not always the case. Windows 2000 systems with Service Pack 2 or earlier must either have have Security Rollup Pack 1 installed, or the hotfix related to Microsoft bulletin MS01-041 (be sure to read article Q298012 ) installed, otherwise disabling DCOM is not effective.

Also note that a user reported on Focus-MS mailing list that "any IIS box with COM Internet Services installed is exploitable over 80/443 ... and any machine that [allows] RPC over HTTP is exploitable on 593 tcp/udp as well." Obviously, installing the patch might not be enough.

At least one user has reported on NTBugTraq that even with the patch installed, his Windows 2000 system (with SP4) was still vulnerable to Denial of Service (DoS) attacks against port 135 when demonstration code is used to test the vulnerability. At least one user confirmed similar problems on Windows 2000, but added that his Windows XP Home Edition was not vulnerable to DoS attacks after installing the patch. The DoS occures due to a crashed svchost.exe process.

One user has also reported that the RPC patch breaks "brick level backups" with Windows 2000 and Arcserve 2000.

As of July 30, one user has reported that Microsoft acknowledged the DoS issue as a "new problem" that is unrelated to the MS03-026 patch, and that the company will issue another patch to correct the DoS condition.

The idea that DoS attacks might still be possible even after loading the patch clearly points out the value of demonstration code. It lets researchers verify problems and test vendor patches that could prove to be faulty. Even if the "bad guys" can get their hands on the code, it's nothing new. Security advice has been the same for decades: Staying on top of security news and security patches is the only way to stay protected. In other words, security through obscurity is no security at all.

On July 23, Microsoft issued another patch associated with Security Bulletin MS03-029, (Flaw in Windows Function Could Allow Denial of Service), regarding a flaw in a Windows file management function. The problem affects Windows NT 4.0, including NT 4.0 Server Terminal Server Edition.

Several NTBugTraq users report that after installing the patch, their RAS stopped working properly. Most users found that uninstalling the patch corrected the RAS problems; however, as of this writing, Microsoft hasn't pulled the patch from its download site nor has it warned users that installing the patch might break RAS.

The problem was discovered by @Stake, who issued a security bulletin regarding the matter. The bulletin is much more informative than Microsoft's. According to @Stake, the vulnerability actually pertains to NT 4.0's file-naming process. Their advisory states, "The flaw can cause heap corruption to occur when a long string is passed to the file name functions. This results in the program calling the NT 4.0 file name processing functions to crash."

One attack vector pointed out by @Stake is IBM's Java Virtual Machine, which can pass a long string that in turn causes a DoS to occur because of an access violation. The vulnerability could let a remote user cause the DoS if Java were enabled on an affected system.

A reader has informed us that Microsoft has been testing a new patch for the RAS problem introduced by the fix associated with bulletin MS03-029. The patch has passed customer testing and Microsoft intends to issue the patch soon. In addition, the new patch will be associated with Microsoft article 825501, which was not available online at the time of this writing.