Are You Vulnerable to RPC Exploitation?

If you've read any of the news stories around the Internet lately about the recently reported remote procedure call (RPC) security problem (related to Microsoft Security Bulletin MS03-026—Buffer Overrun In RPC Interface Could Allow Code Execution), then you might be wondering if the Internet will be brought to its knees any time now if someone releases a worm that exploits the problem. I think the problem is being over-hyped, but nevertheless, the problem is significant and requires your attention in protecting your systems.

The same tried and true advice applies in this case that has applied for years: Patch your systems as quickly as possible and adjust your network security accordingly, including internal and border firewalls, as well as any associated filtering technology. If you aren't sure which of your systems might be vulnerable, you can test your systems to determine your exposure.

If you're depending on Windows Update service to protect you, you're out of luck and you might be unnecessarily exposing your systems to risk. According to Russ Cooper at NTBugTraq, Windows Update might report that the patch is installed already when in fact it isn't. The false positives have to do with the way the tool uses registry entries to determine whether a patch is installed instead of inspecting files and file versions. Bottom line: Windows Update needs a patch itself. There has also been at least one report (according to Cooper) that St. Bernard Software's UpdateEXPERT might, in some cases, think the patch is installed when it isn't. It remains unclear why this false positive might happen.

Microsoft Baseline Security Analyzer (MBSA) will work to help you determine your patch needs in this case, as will several other free tools. eEye Digital Security has released a tool, RPC/DCOM Scanner 1.0.3, which you can download from the company's Web site. Internet Security Systems has also released a command-line tool, ScanMS, which checks for systems that aren't patched for the RPC problem. Note that users have reported false reports of vulnerablity from the ScanMS tool when DCOM has been disabled on a system. And Shavlik Technologies reminds users that its HFNetChk Lite software (freeware) will scan a range of systems for all missing patches, and roll patches out to as many as 50 systems.