United States

Change

All Microsoft Sites

Microsoft Support

Article ID: 331953 - Last Review: December 1, 2007 - Revision: 10.7

MS03-010: Flaw in RPC endpoint mapper could allow Denial of Service attacks

View products that this article applies to.

This article was previously published under Q331953

SYMPTOMS

There is a vulnerability in the part of the remote procedure call (RPC) functionality that deals with message exchange over TCP/IP. The vulnerability results because of incorrect handling of malformed messages. This particular vulnerability affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC Endpoint Mapper service allows RPC clients to determine the port number currently assigned to a particular RPC service.

Back to the top

CAUSE

Microsoft has provided updates to correct this vulnerability for Windows 2000 and Windows XP. Although Windows NT 4.0 is affected by this vulnerability, Microsoft cannot provide an update for this vulnerability for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability. Windows NT 4.0 users are strongly encouraged to use the workaround that is discussed in the MS03-10 Security Bulletin. You can use this workaround to help protect the Windows NT 4.0 system with a firewall that blocks Port 135. To view the MS03-10 Security Bulletin, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-010.mspx (http://www.microsoft.com/technet/security/bulletin/MS03-010.mspx)

Back to the top

Mitigating factors

To exploit this vulnerability, the attacker would require the ability to connect to the Endpoint Mapper service that is running on the destination computer. For intranet environments, Endpoint Mapper is typically accessible. However, for Internet connected computers, the port that is used by Endpoint Mapper is typically blocked by a firewall. In a scenario where this port is not blocked or in an intranet configuration, the attacker would not require any additional administrative credentials.
Best practices recommend blocking all TCP/IP ports that are not actually being used. Therefore, most computers attached to the Internet will have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments. For more information about how to secure RPC for client and server, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/aa379441.aspx (http://msdn2.microsoft.com/en-us/library/aa379441.aspx)
For more information about the ports used by RPC, visit the following Microsoft Web site:
http://technet2.microsoft.com/WindowsServer/en/library/4dbc4c95-935b-4617-b4f8-20fc947c72881033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/library/4dbc4c95-935b-4617-b4f8-20fc947c72881033.mspx?mfr=true)
This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to modify or retrieve data on the remote computer.

Back to the top

RESOLUTION

Service pack information

Windows XP

To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 (http://support.microsoft.com/kb/322389/ ) How to obtain the latest Windows XP service pack

Windows 2000

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 (http://support.microsoft.com/kb/260910/ ) How to obtain the latest Windows 2000 Service Pack

Back to the top

Update information

Download information

The following files are available for download from the Microsoft Download Center:

Windows XP Professional and Windows XP Home Edition

Collapse this imageExpand this image

Download the 331953 package now. (http://microsoft.com/downloads/details.aspx?FamilyId=94213569-3258-4439-9AE7-5D86813B4D9E&displaylang=en)

Windows XP 64-bit Edition:

Collapse this imageExpand this image

Download the 331953 package now. (http://microsoft.com/downloads/details.aspx?FamilyId=E3FB88CF-FA48-4426-A4F8-D18D8D4D2295&displaylang=en)

Windows 2000

All languages except Japanese NEC:

Collapse this imageExpand this image

Download the 331953 package now. (http://microsoft.com/downloads/details.aspx?FamilyId=BD55EB38-A5DE-4810-90F7-097C5B4B9919&displaylang=en)

Japanese NEC:

Collapse this imageExpand this image

Download the 331953 package now. (http://microsoft.com/downloads/details.aspx?FamilyId=3F7DC0DA-A684-43A8-B2E3-1EEDEEDC822C&displaylang=ja)

Release Date: March 25, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 (http://support.microsoft.com/kb/119591/EN-US/ ) How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

The Windows 2000 version of this update requires Windows 2000 Service Pack 2 (SP2) or Windows 2000 Service Pack 3 (SP3).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 (http://support.microsoft.com/kb/260910/ ) How to obtain the latest Windows 2000 service pack

Installation information

This update supports the following Setup program switches:

/? : Display the list of installation switches.
/u : Use Unattended mode.
/f : Force other programs to quit when the computer shuts down.
/n : Do not back up files for removal.
/o : Overwrite OEM files without prompting.
/z : Do not restart when installation is complete.
/q : Use Quiet mode (no user interaction).
/l : List installed hotfixes.
/x : Extract the files without running the Setup program.

For example, to install the update without any user intervention, and then not to force the computer to restart, use the following command line:

q331953_wxp_sp2_x86_enu /u /q /z

To verify the update is installed on your computer, confirm that the following registry key exists:

Windows XP:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q331953

Windows XP with Service Pack 1 (SP1):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q331953

Windows 2000:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q331953

Uninstall information

To remove this update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this update. Spuninst.exe is in the %Windir%\$NTUninstallQ331953$\Spuninst folder. The utility supports the following Setup program switches:

/? : Display the list of installation switches.
/u : Use unattended mode.
/f : Force other programs to quit when the computer shuts down.
/z : Do not restart when installation is complete.
/q : Use Quiet mode (no user interaction).

Restart requirement

You must restart your computer after you apply this update because this update replaces core system binaries that are loaded during system startup. Your computer is vulnerable until you restart it.

File information

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP with Service Pack 1 (SP1)

   Date         Time   Version        Size     File name
   ------------------------------------------------------
   07-Nov-2002  22:47  5.1.2600.1140  505,856  Rpcrt4.dll

Windows XP

   Date         Time   Version       Size     File name
   -----------------------------------------------------
   08-Nov-2002  02:16  5.1.2600.105  439,296  Rpcrt4.dll

Windows 2000

   Date         Time   Version        Size     File name
   ------------------------------------------------------
   25-Oct-2002  22:07  5.0.2195.6089  943,376  Ole32.dll
   25-Oct-2002  22:07  5.0.2195.6106  429,840  Rpcrt4.dll
   25-Oct-2002  22:07  5.0.2195.6089  184,592  Rpcss.dll

You can also verify the files that this update installed by reviewing the following registry key:

Windows XP with Service Pack 1 (SP1):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q331953\Filelist

Windows XP:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q331953\Filelist

Windows 2000:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q331953\Filelist

Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Back to the top

Windows XP

This problem was first corrected in Microsoft Windows XP Service Pack 2.

Back to the top

Windows 2000

This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

Back to the top

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-010.mspx (http://www.microsoft.com/technet/security/bulletin/MS03-010.mspx)

Back to the top

APPLIES TO

Microsoft Windows XP Professional
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows 2000 Server
Microsoft Windows NT Server 4.0 Standard Edition
Microsoft Windows NT Workstation 4.0 Developer Edition

Back to the top

atdownload kbwinxpsp2fix kberrmsg kbwin2ksp4fix kbsecvulnerability kbsecurity kbsecdos kbsecbulletin kbwinxppresp2fix kbbug kbfix kbwin2000presp4fix KB331953

Back to the top