In the wake of the second DCom vulnerability, users have
been advised to turn off the services in Microsoft operating
systems that could be vulnerable to worms similar to August's
Blaster outbreak.
The DCom security hole involved Remote Procedure Call, a protocol
used by Windows. RPC provides an inter-process communication
mechanism that allows a program that is running on one computer to
seamlessly access services on another computer.
Microsoft identified three vulnerabilities in the part of the
Windows RPC service that affects the DCom interface. The flaws
result from incorrect handling of malformed messages. Two of the
vulnerabilities could allow an attacker to run malicious programs;
the other could result in a denial of service.
Russ Cooper, chief scientist at security specialist Trusecure, who
also runs the Ntbugtraq security mailing list, advised users to
disable DCom to avert possible hacking attacks. This would
safeguard most users against any worm developed to exploit the
latest hole, and only those who really needed DCom would have to be
patched against it.
The DCom service uses TCP/IP port 135 to enable users to share
content between computers in a way that allows updates between them
- for example, when a user wants to use a colleague's Excel
document his own Word file.
Cooper said, "This function is important for Microsoft and for
developers but it is not widely used - for most people, standard
OLE [a Com-based technology for embedding objects in documents]
will do the job. This is one of the functions we recommend users
switch off to ensure their PCs are not vulnerable to attack. PCs
are shipped with far too permissive a configuration."
Cooper said users should also check the options configured at
set-up in operating systems and core applications to ensure that
unused but potentially exploitable services are turned off.
"The problem is that it is not widely known which services are
switched on by default. You can look at the questions asked on
installation and you should switch them all off if you cannot come
up with a business case for using them. Unfortunately, not all
questions are asked," he said.
Cooper said Microsoft's failure to discover the second set of DCom
vulnerabilities at the time of the Blaster outbreak was
"unforgivable". "Microsoft had all the time it needed to discover
these vulnerabilities after the first ones were found and it should
have issued patches for all four at the same time. All the work
that systems administrators did in July and August to patch their
systems was for nothing," he said.
Stuart Okin, chief security officer at Microsoft, agreed that users
could disable DCom (on port 135) to mitigate future vulnerabilities
in DCom but he warned, "Lots of applications use port 135. You
cannot simply switch it off."