MS03-026: Buffer Overrun in RPC May Allow Code Execution

Technical Update

  • September 10, 2003: The following changes were made to this article:
    • Updated the "Security Patch Replacement Information" sections to indicate that this patch has been replaced by 824146 (MS03-039).
      For more information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

      824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

    • Updated the "Installation Information" sections to indicate that Microsoft has released a tool that network administrators can use to scan a network and to identify host computers that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed.
      For additional information about this tool, click the following article number to view the article in the Microsoft Knowledge Base:
      827363 How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

    • Updated the "Security Patch Replacement Information" section for Windows NT 4.0 to indicate that this security patch replaces 305399 (MS01-048) for Windows NT 4.0-based computers.
  • August 19, 2003: Updated the "More Information" section to include a reference to Microsoft Knowledge Base article 826234. This article contains information about the Nachi worm virus that tries to exploit the vulnerability that is fixed by this security patch.
    826234 Virus Alert About the Nachi Worm

  • August 14, 2003: The following changes were made to this article:
    • Updated the "More Information" section to include a reference to Microsoft Knowledge Base article 826955. This article contains information about the Blaster worm virus that tries to exploit the vulnerability that is fixed by this security patch.
      826955 Virus Alert About the Blaster Worm and Its Variants

    • Updated the "Installation Information" section to indicate that Microsoft has released a tool that network administrators can use to scan a network for systems that do not have this security patch installed.
    • Updated the "Security Patch Replacement Information" sections to indicate that this security patch replaces 331953 (MS03-010) for Windows 2000-based computers and Windows XP-based computers. For Windows NT 4.0-based computers and Windows Server 2003-based computers, this security patch does not replace any other security patches.
    • Updated the Windows 2000 "Prerequisites" section to include information about Windows 2000 Service Pack 2 support for this patch.
    • Updated the "Workaround" section to provide additional workaround information.
  • July 18, 2003: Updated the "Symptoms" section and the "Mitigating Factors" section. Added a note to the Windows 2000 "Prerequisites" section. Added a note to the Windows NT 4.0 "Prerequisites" section. In the "Windows NT 4.0" section, changed the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows NT\SP6\KB823980" to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q823980". In the "Workaround" section, changed the text in the first bullet point ("Block port 135 at your firewall"). In the following sections, changed the file information tables: Windows Server 2003, 32-Bit Edition; Windows Server 2003, 64-Bit Edition; Windows XP Professional and Windows XP Home Edition; Windows XP 64-Bit Edition.
  • August 18, 2003: Updated the "Prerequisites" section.

Symptoms

Microsoft originally released this bulletin and patch on July 16, 2003, to correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. The patch was and still is effective in eliminating the security vulnerability. However, the "mitigating factors" and "workarounds" discussions in the original security bulletin did not clearly identify all the ports by which the vulnerability could potentially be exploited. Microsoft has updated this bulletin to more clearly enumerate the ports over which RPC services can be invoked and to make sure that customers who choose to implement a workaround before installing the patch have the information that they must have to protect their systems. Customers who have already installed the patch are protected from attempts to exploit this vulnerability and do not have to take further action.

Remote Procedure Call (RPC) is a protocol that is used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program that is running on one computer to seamlessly run code on a remote computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol. The RPC protocol that is used by Windows includes some additional Microsoft-specific extensions.

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC-enabled ports. This interface handles DCOM object activation requests that are sent by client machines (for example, Universal Naming Convention [UNC] path requests) to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges.

To exploit this vulnerability, an attacker would have to send a specially formed request to the remote computer on specific RPC ports.

Mitigating Factors
  • To exploit this vulnerability, the attacker must be able to send a specially crafted request to port 135, port 139, port 445, or any other specifically configured RPC port on the remote computer. For intranet environments, these ports are typically accessible, but for Internet-connected computers, these ports are typically blocked by a firewall. If these ports are not blocked, or in an intranet environment, the attacker does not have to have any additional privileges.
  • Best practice recommendations include blocking all TCP/IP ports that are not actually being used. By default, most firewalls, including the Windows Internet Connection Firewall (ICF), block those ports. For this reason, most computers that are attached to the Internet should have RPC over TCP or UDP blocked. RPC over UDP or TCP is not intended to be used in hostile environments, such as the Internet. More robust protocols, such as RPC over HTTP, are provided for hostile environments.

Resolution

Security Patch Information

For more information about how to resolve this vulnerability, click the appropriate link in the following list:

Windows Server 2003 (All Versions)

Download Information
The following files are available for download from the Microsoft Download Center:


Windows Server 2003, 32-Bit EditionWindows Server 2003 64-Bit Edition and Windows XP 64-Bit Edition Version 2003 Release Date: July 16, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Prerequisites
This security patch requires the released version of Windows Server 2003.
Installation Information
This security patch supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use Unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /n : Do not back up files for removal.
  • /o : Overwrite OEM files without prompting.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
  • /l : List installed hotfixes.
  • /x : Extract the files without running Setup.
Microsoft has released a tool that network administrators can use to scan a network for the presence of systems that do not have this security patch installed.
For additional information about this tool, click the following article number to view the article in the Microsoft Knowledge Base:
827363 How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

You can also verify that the security patch is installed on your computer by using Microsoft Baseline Security Analyzer (MBSA), by comparing the file versions on your computer to the list of files in the "File Information" section of this article, or by confirming that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB823980
To verify that this update has been installed, use the Microsoft Baseline Security Analyzer (MBSA). For additional information about MBSA, see the following Microsoft Web site:
Deployment Information
To install the security patch without any user intervention, use the following command:
WindowsServer2003-KB823980-x86-ENU /u /q
To install the security patch without forcing the computer to restart, use the following command:
WindowsServer2003-KB823980-x86-ENU /z
Note You can combine these switches in one command.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:
Restart Requirement
You must restart your computer after you apply this security patch.
Removal Information
To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB823980$\Spuninst folder. The utility supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
Security Patch Replacement Information
For Windows Server 2003-based computers, this security patch does not replace any other security patches.

This security patch is replaced by 824146 (MS03-039).
For more information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.


Windows Server 2003, 32-Bit Edition:

Date Time Version Size File name Folder
-------------------------------------------------------------------
05-Jul-2003 18:03 5.2.3790.68 1,182,720 Ole32.dll \rtmgdr
05-Jul-2003 18:03 5.2.3790.59 657,920 Rpcrt4.dll \rtmgdr
05-Jul-2003 18:03 5.2.3790.68 217,088 Rpcss.dll \rtmgdr
05-Jul-2003 18:01 5.2.3790.68 1,182,720 Ole32.dll \rtmqfe
05-Jul-2003 18:01 5.2.3790.63 658,432 Rpcrt4.dll \rtmqfe
05-Jul-2003 18:01 5.2.3790.68 217,600 Rpcss.dll \rtmqfe


Windows Server 2003 64-Bit Edition and Windows XP 64-Bit Edition Version 2003:

Date Time Version Size File name Folder
----------------------------------------------------------------------------------
05-Jul-2003 18:05 5.2.3790.68 3,549,184 Ole32.dll (IA64) \Rtmgdr
05-Jul-2003 18:05 5.2.3790.59 2,127,872 Rpcrt4.dll (IA64) \Rtmgdr
05-Jul-2003 18:05 5.2.3790.68 660,992 Rpcss.dll (IA64) \Rtmgdr
05-Jul-2003 18:03 5.2.3790.68 1,182,720 Wole32.dll (X86) \Rtmgdr\Wow
05-Jul-2003 18:03 5.2.3790.59 539,648 Wrpcrt4.dll (X86) \Rtmgdr\Wow
05-Jul-2003 18:03 5.2.3790.68 3,548,672 Ole32.dll (IA64) \Rtmqfe
05-Jul-2003 18:03 5.2.3790.63 2,128,384 Rpcrt4.dll (IA64) \Rtmqfe
05-Jul-2003 18:03 5.2.3790.68 662,016 Rpcss.dll (IA64) \Rtmqfe
05-Jul-2003 18:01 5.2.3790.68 1,182,720 Wole32.dll (X86) \Rtmqfe\Wow
05-Jul-2003 18:01 5.2.3790.63 539,648 Wrpcrt4.dll (X86) \Rtmqfe\Wow
Note When you install this security patch on a computer that is running Windows Server 2003 or a Windows XP 64-Bit Edition Version 2003, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you previously installed a hotfix to update one of these files, the installer copies the hotfix files to your computer. Otherwise, the installer copies the GDR files to your computer.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
824994 Description of the Contents of a Windows Server 2003 Product Update Package

You can verify the files that this security patch installs by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB823980\Filelist

Windows XP (All Versions)

Download Information
The following files are available for download from the Microsoft Download Center:


Windows XP Professional and Windows XP Home EditionWindows XP 64-Bit Edition Version 2002 Release Date: July 16, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Prerequisites
This security patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to Obtain the Latest Windows XP Service Pack
Installation Information
This security patch supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use Unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /n : Do not back up files for removal.
  • /o : Overwrite OEM files without prompting.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
  • /l : List installed hotfixes.
  • /x : Extract the files without running Setup.
Microsoft has released a tool that network administrators can use to scan a network for the presence of systems that do not have this security patch installed.
For additional information about this tool, click the following article number to view the article in the Microsoft Knowledge Base:
827363 How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

You can also verify that the security patch is installed on your computer by using Microsoft Baseline Security Analyzer (MBSA), by comparing the file versions on your computer to the list of files in the "File Information" section of this article, or by confirming that the following registry key exists:

Windows XP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823980
Windows XP with Service Pack 1 (SP1):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823980
For additional information about Microsoft Baseline Security Analyzer (MBSA), click the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer (MBSA) Version 1.1.1 Is Available

Deployment Information
To install the security patch without any user intervention, use the following command:
WindowsXP-KB823980-x86-ENU /u /q
To install the security patch without forcing the computer to restart, use the following command:
WindowsXP-KB823980-x86-ENU /z
Note You can combine these switches in one command.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:
Restart Requirement
You must restart your computer after you apply this security patch.
Removal Information
To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB823980$\Spuninst folder. The utility supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
Security Patch Replacement Information
For Windows XP-based computers, this security patch replaces 331953 (MS03-010).

This patch is replaced by 824146 (MS03-039).
For more information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.


Windows XP Professional and Windows XP Home Edition:


Date Time Version Size File name
-------------------------------------------------------------------
05-Jul-2003 19:14 5.1.2600.115 1,092,096 Ole32.dll pre-SP1
05-Jul-2003 19:14 5.1.2600.109 439,296 Rpcrt4.dll pre-SP1
05-Jul-2003 19:14 5.1.2600.115 203,264 Rpcss.dll pre-SP1
05-Jul-2003 19:12 5.1.2600.1243 1,120,256 Ole32.dll with SP1
05-Jul-2003 19:12 5.1.2600.1230 504,320 Rpcrt4.dll with SP1
05-Jul-2003 19:12 5.1.2600.1243 202,752 Rpcss.dll with SP1
Windows XP 64-Bit Edition Version 2002:


Date Time Version Size File name
--------------------------------------------------------------------------------
05-Jul-2003 19:15 5.1.2600.115 4,191,744 Ole32.dll (IA64) pre-SP1
05-Jul-2003 19:15 5.1.2600.109 2,025,472 Rpcrt4.dll (IA64) pre-SP1
05-Jul-2003 19:15 5.1.2600.115 737,792 Rpcss.dll (IA64) pre-SP1
05-Jul-2003 19:12 5.1.2600.1243 4,292,608 Ole32.dll (IA64) with SP1
05-Jul-2003 19:12 5.1.2600.1230 2,292,224 Rpcrt4.dll (IA64) with SP1
05-Jul-2003 19:12 5.1.2600.1243 738,304 Rpcss.dll (IA64) with SP1
05-Jul-2003 18:37 5.1.2600.115 1,092,096 Wole32.dll (X86) pre-SP1
03-Jan-2003 02:06 5.1.2600.109 440,320 Wrpcrt4.dll (X86) pre-SP1
05-Jul-2003 18:07 5.1.2600.1243 1,120,256 Wole32.dll (X86) with SP1
04-Jun-2003 17:35 5.1.2600.1230 505,344 Wrpcrt4.dll (X86) with SP1

Note The Windows XP versions of this patch are packaged as dual-mode packages.
For additional information about dual-mode packages, click the following article number to view the article in the Microsoft Knowledge Base:
328848 Description of dual-mode update packages for Windows XP


You can verify the files that this security patch installs by reviewing the following registry key:

Windows XP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823980\Filelist
Windows XP with Service Pack 1 (SP1):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823980\Filelist

Windows 2000 (All Versions)

Download Information
The following file is available for download from the Microsoft Download Center:

Release Date: July 16, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.


Note This patch is not supported on Windows 2000 Datacenter Server. For information about how to obtain a security patch for Windows 2000 Datacenter Server, contact your participating OEM vendor.
For additional information about Windows 2000 Datacenter Server, click the following article number to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product

Prerequisites
This security patch requires Windows 2000 Service Pack 2 (SP2), Windows 2000 Service Pack 3 (SP3), or Windows 2000 Service Pack 4 (SP4).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack

Installation Information
This security patch supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use Unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /n : Do not back up files for removal.
  • /o : Overwrite OEM files without prompting.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
  • /l : List installed hotfixes.
  • /x : Extract the files without running Setup.
Microsoft has released a tool that you can use to scan a network for the presence of systems that do not have this security patch installed.
For additional information about this tool, click the following article number to view the article in the Microsoft Knowledge Base:
827363 How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

You can also verify that the security patch is installed on your computer by using Microsoft Baseline Security Analyzer (MBSA), by comparing the file versions on your computer to the list of files in the "File Information" section of this article, or by confirming that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823980
For additional information about Microsoft Baseline Security Analyzer (MBSA), click the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer (MBSA) Version 1.1.1 Is Available

Deployment Information
To install the security patch without any user intervention, use the following command:
Windows2000-KB823980-x86-ENU /u /q
To install the security patch without forcing the computer to restart, use the following command:
Windows2000-KB823980-x86-ENU /z
Note You can combine these switches in one command.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:
Restart Requirement
You must restart your computer after you apply this security patch.
Removal Information
To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB823980$\Spuninst folder. The utility supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
Security Patch Replacement Information
For Windows 2000-based computers, this security patch replaces 331953 (MS03-010).

This patch is replaced by 824146 (MS03-039).
For more information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.



Date Time Version Size File name
--------------------------------------------------------------
05-Jul-2003 17:15 5.0.2195.6769 944,912 Ole32.dll
05-Jul-2003 17:15 5.0.2195.6753 432,400 Rpcrt4.dll
05-Jul-2003 17:15 5.0.2195.6769 188,688 Rpcss.dll
You can verify the files that this security patch installs by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823980\Filelist
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Windows NT 4.0 (All Versions)

Download Information
The following files are available for download from the Microsoft Download Center:


Windows NT 4.0 Server: Windows NT 4.0 Server, Terminal Server Edition: Release Date: July 16, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Prerequisites
This security patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6).

Note This security patch will install on Windows NT 4.0 Workstation. However, Microsoft no longer supports this version, according to the Microsoft Lifecycle Support policy. Additionally, this security patch has not been tested on Windows NT 4.0 Workstation. For information about the Microsoft Lifecycle Support policy, visit the following Microsoft Web site: For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack

Installation Information
This security patch supports the following Setup switches:
  • /y : Perform removal (only with /m or /q ).
  • /f : Force programs to be closed at shutdown.
  • /n : Do not create an Uninstall folder.
  • /z : Do not restart when update completes.
  • /q : Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
  • /m : Use Unattended mode with user interface.
  • /l : List installed hotfixes.
  • /x : Extract the files without running Setup.
Microsoft has released a tool that you can use to scan a network for the presence of systems which do not have this security patch installed.
For additional information about this tool, click the following article number to view the article in the Microsoft Knowledge Base:
827363 How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

You can also verify that the security patch is installed on your computer by using Microsoft Baseline Security Analyzer (MBSA), by comparing the file versions on your computer to the list of files in the "File Information" section of this article, or by confirming that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Hotfix\Q823980
For additional information about Microsoft Baseline Security Analyzer (MBSA), click the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer (MBSA) Version 1.1.1 Is Available

Deployment Information
To install the security patch without any user intervention, use the following command:
Q823980i /q
To install the security patch without forcing the computer to restart, use the following command:
Q823980i /z
Note You can combine these switches in one command.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:
Restart Requirement
You must restart your computer after you apply this security patch.
Removal Information
To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB823980$\Spuninst folder. The utility supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
Security Patch Replacement Information
For Windows NT 4.0-based computers, this security patch replaces the security patch that is provided with Microsoft Security Bulletin MS01-048.

This patch is replaced by 824146 (MS03-039).
For more information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.


Windows NT 4.0 Server:

Date Time Version Size File name
--------------------------------------------------------------
05-Jul-2003 5:26 4.0.1381.7224 701,200 Ole32.dll
05-Jul-2003 5:26 4.0.1381.7219 345,872 Rpcrt4.dll
05-Jul-2003 5:26 4.0.1381.7224 107,280 Rpcss.exe
Windows NT 4.0 Server, Terminal Server Edition:

Date Time Version Size File name
--------------------------------------------------------------
07-Jul-2003 3:29 4.0.1381.33549 701,712 Ole32.dll
07-Jul-2003 3:29 4.0.1381.33474 345,360 Rpcrt4.dll
07-Jul-2003 3:29 4.0.1381.33549 109,328 Rpcss.exe
To verify that the security patch has been installed on your computer, confirm that all files that are listed in the table are present on your computer.

Workaround

Although Microsoft urges all customers to apply the security patch at the earliest possible opportunity, there are several workarounds that you can use in the interim to help prevent the vector that is used to exploit this vulnerability.

These workarounds are temporary measures. They only help to block the paths of attack. They do not correct the underlying vulnerability.

The following sections provide information that you can use to help protect your computer from attack. Each section describes the workarounds that you can use, depending on your computer’s configuration and depending on the level of functionality that you require.
  • Block UDP ports 135, 137, 138, and 445 and TCP ports 135, 139, 445, and 593 at your firewall, and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected machines.These ports are used to initiate an RPC connection with a remote computer. Blocking these ports at the firewall will help prevent systems behind that firewall from being attacked by attempts to exploit these vulnerabilities. You should also block any other specifically configured RPC port on the remote machine.

    If enabled, CIS and RPC over HTTP allow DCOM calls to operate over TCP ports 80 (and port 443 on Windows XP and Windows Server 2003). Make sure that CIS and RPC over HTTP are disabled on all the affected machines.

    For additional information about how to disable CIS, click the following article number to view the article in the Microsoft Knowledge Base:
    825819 How to Remove COM Internet Services (CIS) and RPC over HTTP Proxy Support

    For additional information about RPC over HTTP, visit the following Microsoft Web site: Additionally, customers may have configured services or protocols that use RPC that may also be accessible from the Internet. Systems administrators are strongly encouraged to examine RPC ports that are exposed to the Internet and to either block these ports at their firewall or to apply the patch immediately.
  • Use Internet Connection Firewall and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected machines. If you are using the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help to protect your Internet connection, it will by default block inbound RPC traffic from the Internet. Make sure that CIS and RPC over HTTP are disabled on all affected machines.
    For additional information about how to disable CIS, click the following article number to view the article in the Microsoft Knowledge Base:
    825819 How to Remove COM Internet Services (CIS) and RPC over HTTP Proxy Support

    For additional information about RPC over HTTP, visit the following Microsoft Web site:
  • Block the affected ports by using an IPSEC filter and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected machinesYou can secure network communications on Windows 2000-based computers if you use Internet Protocol Security (IPSec).
    For additional information about IPSec and how to apply filters, click the following article numbers to view the articles in the Microsoft Knowledge Base:
    313190 HOW TO: Use IPSec IP Filter Lists in Windows 2000

    813878 How to Block Specific Network Protocols and Ports by Using IPSec

    Make sure that CIS and RPC over HTTP are disabled on all affected machines. For additional information about how to disable CIS, click the following article number to view the article in the Microsoft Knowledge Base:
    825819 How to Remove COM Internet Services (CIS) and RPC over HTTP Proxy Support

  • Disable DCOM on all affected computers: When a computer is part of a network, the DCOM wire protocol enables COM objects on that computer to communicate with COM objects on other computers.

    You can disable DCOM for a particular computer to help protect against this vulnerability, but doing so disables all communication between objects on that computer and objects on other computers. If you disable DCOM on a remote computer, you then cannot remotely access that computer to re-enable DCOM. To re-enable DCOM, you must have physical access to that computer.
    For additional information about how to disable DCOM, click the following article number to view the article in the Microsoft Knowledge Base:
    825750 How to Disable DCOM Support in Windows

    Note For Windows 2000, the methods described in Microsoft Knowledge Base article 825750 to disable DCOM will only work on computers that are running Windows 2000 Service Pack 3 or later. Customers using Service Pack 2 or earlier should upgrade to a later service pack or use one of the other workarounds.

Status

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

More Information

For more information about this vulnerability, visit the following Microsoft Web site: For more information about securing RPC for clients and servers, visit the following Microsoft Web site: For more information about the ports that RPC uses, visit the following Microsoft Web site: For additional information about the Blaster worm virus that tries to exploit the vulnerability that is fixed by this security patch, click the following article number to view the article in the Microsoft Knowledge Base:
826955 Virus Alert About the Blaster Worm and Its Variants

For additional information about the Nachi worm virus that tries to exploit the vulnerability that is fixed by this security patch, click the following article number to view the article in the Microsoft Knowledge Base:
826234 Virus Alert About the Nachi Worm

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the following article number to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product

Eigenschaften

Artikelnummer: 823980 – Letzte Überarbeitung: 05.06.2009 – Revision: 1

Feedback