MS03-010: Flaw in RPC endpoint mapper could allow Denial of Service attacks

Article translations Article translations
Article ID: 331953 - View products that this article applies to.
This article was previously published under Q331953
Expand all | Collapse all

On This Page

SYMPTOMS

There is a vulnerability in the part of the remote procedure call (RPC) functionality that deals with message exchange over TCP/IP. The vulnerability results because of incorrect handling of malformed messages. This particular vulnerability affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC Endpoint Mapper service allows RPC clients to determine the port number currently assigned to a particular RPC service.

CAUSE

Microsoft has provided updates to correct this vulnerability for Windows 2000 and Windows XP. Although Windows NT 4.0 is affected by this vulnerability, Microsoft cannot provide an update for this vulnerability for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability. Windows NT 4.0 users are strongly encouraged to use the workaround that is discussed in the MS03-10 Security Bulletin. You can use this workaround to help protect the Windows NT 4.0 system with a firewall that blocks Port 135. To view the MS03-10 Security Bulletin, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS03-010.mspx

Mitigating factors

  • To exploit this vulnerability, the attacker would require the ability to connect to the Endpoint Mapper service that is running on the destination computer. For intranet environments, Endpoint Mapper is typically accessible. However, for Internet connected computers, the port that is used by Endpoint Mapper is typically blocked by a firewall. In a scenario where this port is not blocked or in an intranet configuration, the attacker would not require any additional administrative credentials.
  • Best practices recommend blocking all TCP/IP ports that are not actually being used. Therefore, most computers attached to the Internet will have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments. For more information about how to secure RPC for client and server, visit the following Microsoft Web site:
    http://msdn2.microsoft.com/en-us/library/aa379441.aspx
    For more information about the ports used by RPC, visit the following Microsoft Web site:
    http://technet2.microsoft.com/WindowsServer/en/library/4dbc4c95-935b-4617-b4f8-20fc947c72881033.mspx?mfr=true
  • This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to modify or retrieve data on the remote computer.

RESOLUTION

Service pack information

Windows XP

To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack

Windows 2000

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 Service Pack

Update information

Download information

The following files are available for download from the Microsoft Download Center:

Windows XP Professional and Windows XP Home Edition
Collapse this imageExpand this image
Download
Download the 331953 package now.
Windows XP 64-bit Edition:
Collapse this imageExpand this image
Download
Download the 331953 package now.
Windows 2000

All languages except Japanese NEC:
Collapse this imageExpand this image
Download
Download the 331953 package now.
Japanese NEC:
Collapse this imageExpand this image
Download
Download the 331953 package now.
Release Date: March 25, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

The Windows 2000 version of this update requires Windows 2000 Service Pack 2 (SP2) or Windows 2000 Service Pack 3 (SP3).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack

Installation information

This update supports the following Setup program switches:
  • /? : Display the list of installation switches.
  • /u : Use Unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /n : Do not back up files for removal.
  • /o : Overwrite OEM files without prompting.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
  • /l : List installed hotfixes.
  • /x : Extract the files without running the Setup program.
For example, to install the update without any user intervention, and then not to force the computer to restart, use the following command line:
q331953_wxp_sp2_x86_enu /u /q /z
To verify the update is installed on your computer, confirm that the following registry key exists:

Windows XP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q331953
Windows XP with Service Pack 1 (SP1):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q331953
Windows 2000:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q331953

Uninstall information

To remove this update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this update. Spuninst.exe is in the %Windir%\$NTUninstallQ331953$\Spuninst folder. The utility supports the following Setup program switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).

Restart requirement

You must restart your computer after you apply this update because this update replaces core system binaries that are loaded during system startup. Your computer is vulnerable until you restart it.

File information

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP with Service Pack 1 (SP1)
   Date         Time   Version        Size     File name
   ------------------------------------------------------
   07-Nov-2002  22:47  5.1.2600.1140  505,856  Rpcrt4.dll
Windows XP
   Date         Time   Version       Size     File name
   -----------------------------------------------------
   08-Nov-2002  02:16  5.1.2600.105  439,296  Rpcrt4.dll
Windows 2000
   Date         Time   Version        Size     File name
   ------------------------------------------------------
   25-Oct-2002  22:07  5.0.2195.6089  943,376  Ole32.dll
   25-Oct-2002  22:07  5.0.2195.6106  429,840  Rpcrt4.dll
   25-Oct-2002  22:07  5.0.2195.6089  184,592  Rpcss.dll
You can also verify the files that this update installed by reviewing the following registry key:

Windows XP with Service Pack 1 (SP1):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q331953\Filelist
Windows XP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q331953\Filelist
Windows 2000:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q331953\Filelist

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Windows XP

This problem was first corrected in Microsoft Windows XP Service Pack 2.

Windows 2000

This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS03-010.mspx

Properties

Article ID: 331953 - Last Review: December 1, 2007 - Revision: 10.7
APPLIES TO
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Workstation 4.0 Developer Edition
Keywords: 
atdownload kbwinxpsp2fix kberrmsg kbwin2ksp4fix kbsecvulnerability kbsecurity kbsecdos kbsecbulletin kbwinxppresp2fix kbbug kbfix kbwin2000presp4fix KB331953

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com