Windows flaws allow PC takeover

Microsoft warns of three vulnerabilities in Windows that could have a similar effect as last month's marauding MSBlast worm.

Michael Kanellos Staff Writer, CNET News.com
Michael Kanellos is editor at large at CNET News.com, where he covers hardware, research and development, start-ups and the tech industry overseas.
Michael Kanellos
3 min read
Microsoft identified three vulnerabilities in Windows on Wednesday that could have a similar effect to that of the dreaded MSBlast worm of August.

Special coverage
MSBlast echoes across the Net
Potent new Internet worm exploits
widespread Windows vulnerability.

The flaws, which affect Windows NT 4.0, Windows 2000, Windows Server 2003, Windows XP and the 64-bit versions of Windows XP, are the latest in a string of critical weaknesses identified in Windows recently. The company has issued a patch that can be downloaded from its Web site.

The first two flaws are buffer overruns, which allow a hacker to take over a computer by swamping it with data.

The third is a denial-of-service flaw that affects a component known as the remote procedure call (RPC) process. The RPC process facilitates activities such as sharing files and allowing others to use a computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to its resources. By using the flaws in tandem, a hacker could load unwanted programs onto computers through the buffer overrun flaws and then use the infected computers to launch a denial-of-service attack.

The MSBlast worm, also known as W32/Blaster and W32.Lovsan, exploited a similar vulnerability that allowed a group of unknown hackers to load data on computers worldwide in an attempt to knock out servers that run Microsoft's update services.

"An attacker who successfully exploited either of the buffer overrun vulnerabilities could gain complete control over a remote computer," Microsoft stated in a bulletin released Wednesday. "This would give the attacker the ability to take any action that they wanted on the system, including changing Web pages, reformatting the hard disk or adding new users to the local administrators group."

The bulletin released Wednesday, MS03-039, supersedes bulletin MS03-026, which in July first warned of the vulnerability MSBlast exploited. The vulnerability revealed Wednesday is similar in nature and in its potential for damage, but it affects the RPC function differently.

"It is a different vulnerability, but they have the same impact, and they affect the same ports," said Stephen Toulouse, security program manager at Microsoft's Security Response Center. "In terms of impact, it is the same."

Ports are standardized software addresses that allow applications to exchange data. Firewalls routinely prevent illicit access to such services from the Internet by blocking the specific port used by a computer to offer those services.

Microsoft is urging customers to apply the patch immediately. The company is also revisiting its overall security patching policy, Toulouse said. Now, patching is mostly left up to customers, a problem that has helped viruses spread.

Although the flaws were announced Wednesday, researchers at the CERT Coordination Center, a clearinghouse for information on Internet threats, said in August that they had detected the potential for a second denial-of-service flaw with the RPC process.

The actual flaw was first discovered by eEye security, NSFocus and Tenable Network Security.

Mike Cherry, an analyst for research firm Directions on Microsoft, said that although weekly disclosures of new software vulnerabilities may be hard on Microsoft's image, they represent a new attitude about security.

"It would be nice to go a couple of weeks without there being a new security bulletin," he said. "But one of the things they promised with Trustworthy Computing was to do bulletins on a regular basis and deliver better patches, and they've followed through on that...The old way was to try to ignore everything and hope security wouldn't be a problem."

CNET News.com's David Becker contributed to this report.