Turn off DCom features to protect Windows from future viruses

In the wake of the second DCom vulnerability, users have been advised to turn off the services in Microsoft operating systems...

In the wake of the second DCom vulnerability, users have been advised to turn off the services in Microsoft operating systems that could be vulnerable to worms similar to August's Blaster outbreak.

The DCom security hole involved Remote Procedure Call, a protocol used by Windows. RPC provides an inter-process communication mechanism that allows a program that is running on one computer to seamlessly access services on another computer.

Microsoft identified three vulnerabilities in the part of the Windows RPC service that affects the DCom interface. The flaws result from incorrect handling of malformed messages. Two of the vulnerabilities could allow an attacker to run malicious programs; the other could result in a denial of service.

Russ Cooper, chief scientist at security specialist Trusecure, who also runs the Ntbugtraq security mailing list, advised users to disable DCom to avert possible hacking attacks. This would safeguard most users against any worm developed to exploit the latest hole, and only those who really needed DCom would have to be patched against it.

The DCom service uses TCP/IP port 135 to enable users to share content between computers in a way that allows updates between them - for example, when a user wants to use a colleague's Excel document his own Word file.

Cooper said, "This function is important for Microsoft and for developers but it is not widely used - for most people, standard OLE [a Com-based technology for embedding objects in documents] will do the job. This is one of the functions we recommend users switch off to ensure their PCs are not vulnerable to attack. PCs are shipped with far too permissive a configuration."

Cooper said users should also check the options configured at set-up in operating systems and core applications to ensure that unused but potentially exploitable services are turned off.

"The problem is that it is not widely known which services are switched on by default. You can look at the questions asked on installation and you should switch them all off if you cannot come up with a business case for using them. Unfortunately, not all questions are asked," he said.

Cooper said Microsoft's failure to discover the second set of DCom vulnerabilities at the time of the Blaster outbreak was "unforgivable". "Microsoft had all the time it needed to discover these vulnerabilities after the first ones were found and it should have issued patches for all four at the same time. All the work that systems administrators did in July and August to patch their systems was for nothing," he said.

Stuart Okin, chief security officer at Microsoft, agreed that users could disable DCom (on port 135) to mitigate future vulnerabilities in DCom but he warned, "Lots of applications use port 135. You cannot simply switch it off."

Read more on IT risk management