KB824146 Security Patch
 

Buffer Overrun in RPCSS
May Lead Allow
 Code Execution

(NB- If you are having problems with Roaming Profiles after installing this patch
see the end of this article....)

So What's The Story With KB824146 ?

Microsoft has published a new security bulletin, on the 10th September 2003, describing three vulnerabilities that affect numerous versions of Microsoft Windows.

Two of these vulnerabilities are remotely exploitable buffer overflows that may allow an attacker to execute arbitrary code with system privileges:

"The Microsoft RPCSS Service is responsible for managing Remote Procedure Call (RPC) messages. There are two buffer overflow vulnerabilities in the RPCSS service, which is enabled by default on many versions of Microsoft Windows. These buffer overflows occur in sections of code that handle DCOM activation messages sent to the RPCSS service. "

The third vulnerability may allow a remote attacker to cause a denial of service on your computer:

"Microsoft has also published information regarding a denial-of-service vulnerability in the RPCSS service. This vulnerability only affects Microsoft Windows 2000 systems. (By exploiting the denial-of-service vulnerability, remote attackers may be able to disrupt the RPCSS service. This may result in general system instability and require a reboot.) "

The information in this article applies to:

• Microsoft Windows Server 2003, 64-Bit Datacenter Edition
• Microsoft Windows Server 2003, 64-Bit Enterprise Edition
• Microsoft Windows Server 2003, Datacenter Edition
• Microsoft Windows Server 2003, Enterprise Edition
• Microsoft Windows Server 2003, Standard Edition
• Microsoft Windows Server 2003, Web Edition
• Microsoft Windows XP 64-Bit Edition Version 2002
• Microsoft Windows XP 64-Bit Edition Version 2003
• Microsoft Windows XP Home Edition
• Microsoft Windows XP Media Center Edition
• Microsoft Windows XP Professional
• Microsoft Windows XP Tablet PC Edition
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server
• Microsoft Windows NT Server 4.0 Terminal Server Edition
• Microsoft Windows NT Server 4.0
• Microsoft Windows NT Workstation 4.

Machines running Windows 95, 98 and ME are not at risk from these new vulnerabilities.
 

So What Are XP User's Facing?

Well we have ALL been effected in some way by the recent MSBlaster worm that hit tens of thousands of computers world wide. Whether we were personally hit or it was a work/friend's PC.... we all heard about this one. (This is the worm that causes a PC to reboot every 60 seconds....)

The recent MSBlaster worm was exploiting a vulnerability in the way computer code is handled, prior to being sent to the Microsoft RPCSS Service.

Microsoft did make a security patch, KB823980, available that would remove this vulnerability one month prior to the worm being released onto the Internet.

However, it has now been made public that this patch, issued by Microsoft to protect machines against MSBlaster, shut off some - but not all - of the deficiencies in this feature...!

Now Microsoft is warning that viruses that work in a similar way to MSBlaster could slip through these holes and cause an outbreak on a similar scale to this recent worm...

Jeff Jones, senior director of Trustworthy Computing at Microsoft has been quoted as saying:

"So far malicious hackers do not seem to be targeting the newly found vulnerabilities..."

"We have a worry that history has shown us there are malicious individuals out there that could create an attack of some sort against it,"

Security experts expect that viruses tuned to look for these new holes will soon appear.

MSBlaster appeared barely a month after Microsoft warned about the deficiencies that the virus exploited.

Because the new vulnerabilities affect several different versions of Windows, experts believe any outbreak could be serious.

NB - It is IMPORTANT to realise that the security patch you applied to your PC, to guard against the MSBlaster (and similar attacks), WILL NOT protect you from any new threats.

You MUST install the new security patch IMMEDIATELY.

So What Can Be Done? - Install KB824146..!

Microsoft have created a new Security Patch KB824146 to prevent any new worm/virus exploiting these new found vulnerabilities in the RPCSS.

You can find out more at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;824146

Please note:

If you installed the first security patch  for the RPCSS: KB823980 

You MUST still install this new KB824146 patch as well.

Not Sure KB824146 & KB823980 Are Installed On Your PC?

Apart from a quick check in the Add/Remove panel to see if KB824146 and KB823980 are listed. You could always take a peek in the registry and if you have the following registry key, it is installed:

Windows XP with Service Pack 1 (SP1):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB824146

You should also have the other security patch installed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823980

Microsoft encourages administrators to run the latest version of the Scanner Tool available in Microsoft Knowledge Base article 827363 , to determine if their systems are patched with KB824146 and/or KB823980 correctly. (This tool is a command line based utility and is not for beginners.)

http://support.microsoft.com/default.aspx?scid=kb;en-us;827363

(This tool supersedes the admin tool issued for KB823980.)
 

Conclusion:

For those of you who are able to do so, it is worth filtering traffic on these well known Microsoft RPC ports:

Port 135 (tcp/udp)
Port 137 (udp)
Port 138 (udp)
Port 139 (tcp)
Port 445 (tcp/udp)
Port 593 (tcp)
 

As a side note, for those of you who are interested. The latest security patch KB824146, will update three key .DLL files on your PC. These are:

ole32.dll      new version number = 5.1.2600.1263
rpcrt4.dll     new version number = 5.1.2600.1254
rpcss.dll      new version number = 5.1.2600.1263

Microsoft has published Microsoft Security Bulletin MS03-039 to address this vulnerability. Please see http://www.microsoft.com/technet/security/bulletin/MS03-039.asp this bulletin supersedes MS03-026.

Trouble with roaming profiles (XP or 2000) then this patch may be your problem! I have had to troubleshoot a few network after the installed patch KB824146...

When a user comes to logoff time a temporary file is created that contains the usrclass.dat changes made by the current user during their logon session. Well this file needs to be reconciled to the users roaming profile stored (usually) file server somewhere on the network...

Now I am only guessing here but it looks like this process makes an RPC call to file server and the KB824146 patch has made some "changes" to the RPC call process, and is therefore causing this roaming profile issue to occur!

Now I have ALSO seen this with patch KB823980 on Windows 2000 SP3 and SP4 installations too... though, as described above, this patch has been superseded by KB824146.

So what to do?

It has been suggested that some have resolved the issue by removing KB823980 and reapplying KB824146, but I am not so sure that is a valid resolution myself...

I have personally overcome this issue by adding the following registry to Windows XP SP1, W2K SP3 and W2K SP4 machines...

PLEASE observe the usual rules about editing the registry and I make no warranty that this edit will work for you but simply share it here in good faith!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

DWORD    CompatibleRUPSecurity        value: 00000001

No need to reboot!

NB - There is ANOTHER issue that may stop roaming profiles working properly in Windows XP SP1 and Windows 2000 SP4 machines.... see http://support.microsoft.com/?id=327462 for further info!

Well I hope this article was useful..

Sign Up For My Windows XP Newsletter for more tips and advice!

Home Page  |   Main Article Index  |  FREE XP Newsletter  |  Privacy Policy 

An article on the KB824146 RPCSS Security Patch