MS03-026: Buffer Overrun in RPC May Allow Code Execution (823980)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP 64-Bit Edition Version 2003
  • Microsoft Windows XP 64-Bit Edition Version 2002
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0 Terminal Server Edition
  • Microsoft Windows NT Workstation 4.0

Technical Update

  • September 10, 2003: The following changes were made to this article:
    • Updated the "Security Patch Replacement Information" sections to indicate that this patch has been replaced by 824146 (MS03-039). For more information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

      824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

    • Updated the "Installation Information" sections to indicate that Microsoft has released a tool that network administrators can use to scan a network and to identify host computers that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed. For additional information about this tool, click the following article number to view the article in the Microsoft Knowledge Base:

      827363 How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

    • Updated the "Security Patch Replacement Information" section for Windows NT 4.0 to indicate that this security patch replaces 305399 (MS01-048) for Windows NT 4.0-based computers.
  • August 19, 2003: Updated the "More Information" section to include a reference to Microsoft Knowledge Base article 826234. This article contains information about the Nachi worm virus that tries to exploit the vulnerability that is fixed by this security patch.

    826234 Virus Alert About the Nachi Worm

  • August 14, 2003: The following changes were made to this article:
    • Updated the "More Information" section to include a reference to Microsoft Knowledge Base article 826955. This article contains information about the Blaster worm virus that tries to exploit the vulnerability that is fixed by this security patch.

      826955 Virus Alert About the Blaster Worm and Its Variants

    • Updated the "Installation Information" section to indicate that Microsoft has released a tool that network administrators can use to scan a network for systems that do not have this security patch installed.
    • Updated the "Security Patch Replacement Information" sections to indicate that this security patch replaces 331953 (MS03-010) for Windows 2000-based computers and Windows XP-based computers. For Windows NT 4.0-based computers and Windows Server 2003-based computers, this security patch does not replace any other security patches.
    • Updated the Windows 2000 "Prerequisites" section to include information about Windows 2000 Service Pack 2 support for this patch.
    • Updated the "Workaround" section to provide additional workaround information.
  • July 18, 2003: Updated the "Symptoms" section and the "Mitigating Factors" section. Added a note to the Windows 2000 "Prerequisites" section. Added a note to the Windows NT 4.0 "Prerequisites" section. In the "Windows NT 4.0" section, changed the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows NT\SP6\KB823980" to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q823980". In the "Workaround" section, changed the text in the first bullet point ("Block port 135 at your firewall"). In the following sections, changed the file information tables: Windows Server 2003, 32-Bit Edition; Windows Server 2003, 64-Bit Edition; Windows XP Professional and Windows XP Home Edition; Windows XP 64-Bit Edition.
  • August 18, 2003: Updated the "Prerequisites" section.

SYMPTOMS

Microsoft originally released this bulletin and patch on July 16, 2003, to correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. The patch was and still is effective in eliminating the security vulnerability. However, the "mitigating factors" and "workarounds" discussions in the original security bulletin did not clearly identify all the ports by which the vulnerability could potentially be exploited. Microsoft has updated this bulletin to more clearly enumerate the ports over which RPC services can be invoked and to make sure that customers who choose to implement a workaround before installing the patch have the information that they must have to protect their systems. Customers who have already installed the patch are protected from attempts to exploit this vulnerability and do not have to take further action.

Remote Procedure Call (RPC) is a protocol that is used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program that is running on one computer to seamlessly run code on a remote computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol. The RPC protocol that is used by Windows includes some additional Microsoft-specific extensions.

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC-enabled ports. This interface handles DCOM object activation requests that are sent by client machines (for example, Universal Naming Convention [UNC] path requests) to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges.

To exploit this vulnerability, an attacker would have to send a specially formed request to the remote computer on specific RPC ports.

Mitigating Factors
  • To exploit this vulnerability, the attacker must be able to send a specially crafted request to port 135, port 139, port 445, or any other specifically configured RPC port on the remote computer. For intranet environments, these ports are typically accessible, but for Internet-connected computers, these ports are typically blocked by a firewall. If these ports are not blocked, or in an intranet environment, the attacker does not have to have any additional privileges.
  • Best practice recommendations include blocking all TCP/IP ports that are not actually being used. By default, most firewalls, including the Windows Internet Connection Firewall (ICF), block those ports. For this reason, most computers that are attached to the Internet should have RPC over TCP or UDP blocked. RPC over UDP or TCP is not intended to be used in hostile environments, such as the Internet. More robust protocols, such as RPC over HTTP, are provided for hostile environments.

RESOLUTION

Security Patch Information

For more information about how to resolve this vulnerability, click the appropriate link in the following list:

Windows Server 2003 (All Versions)

Download Information The following files are available for download from the Microsoft Download Center:

Windows Server 2003, 32-Bit Edition

DownloadDownload the 823980 package now.

Windows Server 2003 64-Bit Edition and Windows XP 64-Bit Edition Version 2003

DownloadDownload the 823980 package now.

Release Date: July 16, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. PrerequisitesThis security patch requires the released version of Windows Server 2003.Installation InformationThis security patch supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use Unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /n : Do not back up files for removal.
  • /o : Overwrite OEM files without prompting.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
  • /l : List installed hotfixes.
  • /x : Extract the files without running Setup.
Microsoft has released a tool that network administrators can use to scan a network for the presence of systems that do not have this security patch installed. For additional information about this tool, click the following article number to view the article in the Microsoft Knowledge Base:

827363 How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

You can also verify that the security patch is installed on your computer by using Microsoft Baseline Security Analyzer (MBSA), by comparing the file versions on your computer to the list of files in the "File Information" section of this article, or by confirming that the following registry key exists:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB823980

To verify that this update has been installed, use the Microsoft Baseline Security Analyzer (MBSA). For additional information about MBSA, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Deployment InformationTo install the security patch without any user intervention, use the following command:

WindowsServer2003-KB823980-x86-ENU /u /q

To install the security patch without forcing the computer to restart, use the following command:

WindowsServer2003-KB823980-x86-ENU /z

Note You can combine these switches in one command.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/susoverview.mspx

Restart RequirementYou must restart your computer after you apply this security patch.Removal InformationTo remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB823980$\Spuninst folder. The utility supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
Security Patch Replacement InformationFor Windows Server 2003-based computers, this security patch does not replace any other security patches.

This security patch is replaced by 824146 (MS03-039). For more information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

File Information The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Server 2003, 32-Bit Edition:
   Date         Time   Version            Size    File name    Folder
   -------------------------------------------------------------------
   05-Jul-2003  18:03  5.2.3790.68     1,182,720  Ole32.dll    \rtmgdr    
   05-Jul-2003  18:03  5.2.3790.59       657,920  Rpcrt4.dll   \rtmgdr    
   05-Jul-2003  18:03  5.2.3790.68       217,088  Rpcss.dll    \rtmgdr    
   05-Jul-2003  18:01  5.2.3790.68     1,182,720  Ole32.dll    \rtmqfe   
   05-Jul-2003  18:01  5.2.3790.63       658,432  Rpcrt4.dll   \rtmqfe    
   05-Jul-2003  18:01  5.2.3790.68       217,600  Rpcss.dll    \rtmqfe


Windows Server 2003 64-Bit Edition and Windows XP 64-Bit Edition Version 2003:
   Date         Time   Version            Size    File name                Folder
   ----------------------------------------------------------------------------------
   05-Jul-2003  18:05  5.2.3790.68     3,549,184  Ole32.dll       (IA64)   \Rtmgdr
   05-Jul-2003  18:05  5.2.3790.59     2,127,872  Rpcrt4.dll      (IA64)   \Rtmgdr
   05-Jul-2003  18:05  5.2.3790.68       660,992  Rpcss.dll       (IA64)   \Rtmgdr
   05-Jul-2003  18:03  5.2.3790.68     1,182,720  Wole32.dll      (X86)    \Rtmgdr\Wow
   05-Jul-2003  18:03  5.2.3790.59       539,648  Wrpcrt4.dll     (X86)    \Rtmgdr\Wow
   05-Jul-2003  18:03  5.2.3790.68     3,548,672  Ole32.dll       (IA64)   \Rtmqfe
   05-Jul-2003  18:03  5.2.3790.63     2,128,384  Rpcrt4.dll      (IA64)   \Rtmqfe
   05-Jul-2003  18:03  5.2.3790.68       662,016  Rpcss.dll       (IA64)   \Rtmqfe
   05-Jul-2003  18:01  5.2.3790.68     1,182,720  Wole32.dll      (X86)    \Rtmqfe\Wow
   05-Jul-2003  18:01  5.2.3790.63       539,648  Wrpcrt4.dll     (X86)    \Rtmqfe\Wow
Note When you install this security patch on a computer that is running Windows Server 2003 or a Windows XP 64-Bit Edition Version 2003, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you previously installed a hotfix to update one of these files, the installer copies the hotfix files to your computer. Otherwise, the installer copies the GDR files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824994 Description of the Contents of a Windows Server 2003 Product Update Package

You can verify the files that this security patch installs by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB823980\Filelist

Windows XP (All Versions)

Download Information The following files are available for download from the Microsoft Download Center:

Windows XP Professional and Windows XP Home Edition

DownloadDownload the 823980 package now.

Windows XP 64-Bit Edition Version 2002

DownloadDownload the 823980 package now.

Release Date: July 16, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. PrerequisitesThis security patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack

Installation InformationThis security patch supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use Unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /n : Do not back up files for removal.
  • /o : Overwrite OEM files without prompting.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
  • /l : List installed hotfixes.
  • /x : Extract the files without running Setup.
Microsoft has released a tool that network administrators can use to scan a network for the presence of systems that do not have this security patch installed. For additional information about this tool, click the following article number to view the article in the Microsoft Knowledge Base:

827363 How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

You can also verify that the security patch is installed on your computer by using Microsoft Baseline Security Analyzer (MBSA), by comparing the file versions on your computer to the list of files in the "File Information" section of this article, or by confirming that the following registry key exists:

Windows XP:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823980

Windows XP with Service Pack 1 (SP1):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823980

For additional information about Microsoft Baseline Security Analyzer (MBSA), click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer (MBSA) Version 1.1.1 Is Available

Deployment InformationTo install the security patch without any user intervention, use the following command:

WindowsXP-KB823980-x86-ENU /u /q

To install the security patch without forcing the computer to restart, use the following command:

WindowsXP-KB823980-x86-ENU /z

Note You can combine these switches in one command.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/susoverview.mspx

Restart RequirementYou must restart your computer after you apply this security patch.Removal InformationTo remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB823980$\Spuninst folder. The utility supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
Security Patch Replacement InformationFor Windows XP-based computers, this security patch replaces 331953 (MS03-010).

This patch is replaced by 824146 (MS03-039). For more information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

File Information The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Professional and Windows XP Home Edition:

   Date         Time   Version            Size    File name
   -------------------------------------------------------------------
   05-Jul-2003  19:14  5.1.2600.115    1,092,096  Ole32.dll    pre-SP1
   05-Jul-2003  19:14  5.1.2600.109      439,296  Rpcrt4.dll   pre-SP1
   05-Jul-2003  19:14  5.1.2600.115      203,264  Rpcss.dll    pre-SP1
   05-Jul-2003  19:12  5.1.2600.1243   1,120,256  Ole32.dll    with SP1
   05-Jul-2003  19:12  5.1.2600.1230     504,320  Rpcrt4.dll   with SP1
   05-Jul-2003  19:12  5.1.2600.1243     202,752  Rpcss.dll    with SP1
Windows XP 64-Bit Edition Version 2002:

   Date         Time   Version            Size    File name
   --------------------------------------------------------------------------------
   05-Jul-2003  19:15  5.1.2600.115    4,191,744  Ole32.dll        (IA64)  pre-SP1
   05-Jul-2003  19:15  5.1.2600.109    2,025,472  Rpcrt4.dll       (IA64)  pre-SP1
   05-Jul-2003  19:15  5.1.2600.115      737,792  Rpcss.dll        (IA64)  pre-SP1
   05-Jul-2003  19:12  5.1.2600.1243   4,292,608  Ole32.dll        (IA64)  with SP1
   05-Jul-2003  19:12  5.1.2600.1230   2,292,224  Rpcrt4.dll       (IA64)  with SP1
   05-Jul-2003  19:12  5.1.2600.1243     738,304  Rpcss.dll        (IA64)  with SP1
   05-Jul-2003  18:37  5.1.2600.115    1,092,096  Wole32.dll       (X86)   pre-SP1
   03-Jan-2003  02:06  5.1.2600.109      440,320  Wrpcrt4.dll      (X86)   pre-SP1
   05-Jul-2003  18:07  5.1.2600.1243   1,120,256  Wole32.dll       (X86)   with SP1
   04-Jun-2003  17:35  5.1.2600.1230     505,344  Wrpcrt4.dll      (X86)   with SP1

Note The Windows XP versions of this patch are packaged as dual-mode packages. For additional information about dual-mode packages, click the following article number to view the article in the Microsoft Knowledge Base:

328848 Description of dual-mode update packages for Windows XP


You can verify the files that this security patch installs by reviewing the following registry key:

Windows XP:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823980\Filelist

Windows XP with Service Pack 1 (SP1):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823980\Filelist

Windows 2000 (All Versions)

Download Information The following file is available for download from the Microsoft Download Center:

DownloadDownload the 823980 package now.

Release Date: July 16, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Note This patch is not supported on Windows 2000 Datacenter Server. For information about how to obtain a security patch for Windows 2000 Datacenter Server, contact your participating OEM vendor. For additional information about Windows 2000 Datacenter Server, click the following article number to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

PrerequisitesThis security patch requires Windows 2000 Service Pack 2 (SP2), Windows 2000 Service Pack 3 (SP3), or Windows 2000 Service Pack 4 (SP4).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Installation InformationThis security patch supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use Unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /n : Do not back up files for removal.
  • /o : Overwrite OEM files without prompting.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
  • /l : List installed hotfixes.
  • /x : Extract the files without running Setup.
Microsoft has released a tool that you can use to scan a network for the presence of systems that do not have this security patch installed. For additional information about this tool, click the following article number to view the article in the Microsoft Knowledge Base:

827363 How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

You can also verify that the security patch is installed on your computer by using Microsoft Baseline Security Analyzer (MBSA), by comparing the file versions on your computer to the list of files in the "File Information" section of this article, or by confirming that the following registry key exists:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823980

For additional information about Microsoft Baseline Security Analyzer (MBSA), click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer (MBSA) Version 1.1.1 Is Available

Deployment InformationTo install the security patch without any user intervention, use the following command:

Windows2000-KB823980-x86-ENU /u /q

To install the security patch without forcing the computer to restart, use the following command:

Windows2000-KB823980-x86-ENU /z

Note You can combine these switches in one command.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/susoverview.mspx

Restart RequirementYou must restart your computer after you apply this security patch.Removal InformationTo remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB823980$\Spuninst folder. The utility supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
Security Patch Replacement InformationFor Windows 2000-based computers, this security patch replaces 331953 (MS03-010).

This patch is replaced by 824146 (MS03-039). For more information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

File Information The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 

   Date         Time   Version            Size    File name
   --------------------------------------------------------------
   05-Jul-2003  17:15  5.0.2195.6769     944,912  Ole32.dll        
   05-Jul-2003  17:15  5.0.2195.6753     432,400  Rpcrt4.dll       
   05-Jul-2003  17:15  5.0.2195.6769     188,688  Rpcss.dll
You can verify the files that this security patch installs by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823980\Filelist

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Windows NT 4.0 (All Versions)

Download Information The following files are available for download from the Microsoft Download Center:

Windows NT 4.0 Server:

DownloadDownload the 823980 package now.

Windows NT 4.0 Server, Terminal Server Edition:

DownloadDownload the 823980 package now.

Release Date: July 16, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. PrerequisitesThis security patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6).

Note This security patch will install on Windows NT 4.0 Workstation. However, Microsoft no longer supports this version, according to the Microsoft Lifecycle Support policy. Additionally, this security patch has not been tested on Windows NT 4.0 Workstation. For information about the Microsoft Lifecycle Support policy, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;[ln];lifecycle

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to Obtain the Latest Windows NT 4.0 Service Pack

Installation InformationThis security patch supports the following Setup switches:
  • /y : Perform removal (only with /m or /q ).
  • /f : Force programs to be closed at shutdown.
  • /n : Do not create an Uninstall folder.
  • /z : Do not restart when update completes.
  • /q : Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
  • /m : Use Unattended mode with user interface.
  • /l : List installed hotfixes.
  • /x : Extract the files without running Setup.
Microsoft has released a tool that you can use to scan a network for the presence of systems which do not have this security patch installed. For additional information about this tool, click the following article number to view the article in the Microsoft Knowledge Base:

827363 How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

You can also verify that the security patch is installed on your computer by using Microsoft Baseline Security Analyzer (MBSA), by comparing the file versions on your computer to the list of files in the "File Information" section of this article, or by confirming that the following registry key exists:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Hotfix\Q823980

For additional information about Microsoft Baseline Security Analyzer (MBSA), click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer (MBSA) Version 1.1.1 Is Available

Deployment InformationTo install the security patch without any user intervention, use the following command:

Q823980i /q

To install the security patch without forcing the computer to restart, use the following command:

Q823980i /z

Note You can combine these switches in one command.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/susoverview.mspx

Restart RequirementYou must restart your computer after you apply this security patch.Removal InformationTo remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB823980$\Spuninst folder. The utility supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).
Security Patch Replacement InformationFor Windows NT 4.0-based computers, this security patch replaces the security patch that is provided with Microsoft Security Bulletin MS01-048.

This patch is replaced by 824146 (MS03-039). For more information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

File Information The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows NT 4.0 Server:
   Date         Time  Version           Size     File name
   --------------------------------------------------------------
   05-Jul-2003  5:26  4.0.1381.7224     701,200  Ole32.dll        
   05-Jul-2003  5:26  4.0.1381.7219     345,872  Rpcrt4.dll       
   05-Jul-2003  5:26  4.0.1381.7224     107,280  Rpcss.exe
Windows NT 4.0 Server, Terminal Server Edition:
   Date         Time  Version           Size     File name
   --------------------------------------------------------------
   07-Jul-2003  3:29  4.0.1381.33549    701,712  Ole32.dll        
   07-Jul-2003  3:29  4.0.1381.33474    345,360  Rpcrt4.dll       
   07-Jul-2003  3:29  4.0.1381.33549    109,328  Rpcss.exe
To verify that the security patch has been installed on your computer, confirm that all files that are listed in the table are present on your computer.

WORKAROUND

Although Microsoft urges all customers to apply the security patch at the earliest possible opportunity, there are several workarounds that you can use in the interim to help prevent the vector that is used to exploit this vulnerability.

These workarounds are temporary measures. They only help to block the paths of attack. They do not correct the underlying vulnerability.

The following sections provide information that you can use to help protect your computer from attack. Each section describes the workarounds that you can use, depending on your computer's configuration and depending on the level of functionality that you require.
  • Block UDP ports 135, 137, 138, and 445 and TCP ports 135, 139, 445, and 593 at your firewall, and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected machines.These ports are used to initiate an RPC connection with a remote computer. Blocking these ports at the firewall will help prevent systems behind that firewall from being attacked by attempts to exploit these vulnerabilities. You should also block any other specifically configured RPC port on the remote machine.

    If enabled, CIS and RPC over HTTP allow DCOM calls to operate over TCP ports 80 (and port 443 on Windows XP and Windows Server 2003). Make sure that CIS and RPC over HTTP are disabled on all the affected machines. For additional information about how to disable CIS, click the following article number to view the article in the Microsoft Knowledge Base:

    825819 How to Remove COM Internet Services (CIS) and RPC over HTTP Proxy Support

    For additional information about RPC over HTTP, visit the following Microsoft Web site:

    http://msdn.microsoft.com/library/en-us/rpc/rpc/rpc_over_http_security.asp

    Additionally, customers may have configured services or protocols that use RPC that may also be accessible from the Internet. Systems administrators are strongly encouraged to examine RPC ports that are exposed to the Internet and to either block these ports at their firewall or to apply the patch immediately.
  • Use Internet Connection Firewall and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected machines. If you are using the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help to protect your Internet connection, it will by default block inbound RPC traffic from the Internet. Make sure that CIS and RPC over HTTP are disabled on all affected machines. For additional information about how to disable CIS, click the following article number to view the article in the Microsoft Knowledge Base:

    825819 How to Remove COM Internet Services (CIS) and RPC over HTTP Proxy Support

    For additional information about RPC over HTTP, visit the following Microsoft Web site:

    http://msdn.microsoft.com/library/en-us/rpc/rpc/rpc_over_http_security.asp

  • Block the affected ports by using an IPSEC filter and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected machinesYou can secure network communications on Windows 2000-based computers if you use Internet Protocol Security (IPSec). For additional information about IPSec and how to apply filters, click the following article numbers to view the articles in the Microsoft Knowledge Base:

    313190 HOW TO: Use IPSec IP Filter Lists in Windows 2000

    813878 How to Block Specific Network Protocols and Ports by Using IPSec

    Make sure that CIS and RPC over HTTP are disabled on all affected machines. For additional information about how to disable CIS, click the following article number to view the article in the Microsoft Knowledge Base:

    825819 How to Remove COM Internet Services (CIS) and RPC over HTTP Proxy Support

  • Disable DCOM on all affected computers: When a computer is part of a network, the DCOM wire protocol enables COM objects on that computer to communicate with COM objects on other computers.

    You can disable DCOM for a particular computer to help protect against this vulnerability, but doing so disables all communication between objects on that computer and objects on other computers. If you disable DCOM on a remote computer, you then cannot remotely access that computer to re-enable DCOM. To re-enable DCOM, you must have physical access to that computer. For additional information about how to disable DCOM, click the following article number to view the article in the Microsoft Knowledge Base:

    825750 How to Disable DCOM Support in Windows

    Note For Windows 2000, the methods described in Microsoft Knowledge Base article 825750 to disable DCOM will only work on computers that are running Windows 2000 Service Pack 3 or later. Customers using Service Pack 2 or earlier should upgrade to a later service pack or use one of the other workarounds.

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

For more information about securing RPC for clients and servers, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp

For more information about the ports that RPC uses, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/4dbc4c95-935b-4617-b4f8-20fc947c72881033.mspx?mfr=true

For additional information about the Blaster worm virus that tries to exploit the vulnerability that is fixed by this security patch, click the following article number to view the article in the Microsoft Knowledge Base:

826955 Virus Alert About the Blaster Worm and Its Variants

For additional information about the Nachi worm virus that tries to exploit the vulnerability that is fixed by this security patch, click the following article number to view the article in the Microsoft Knowledge Base:

826234 Virus Alert About the Nachi Worm

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the following article number to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

Modification Type:MajorLast Reviewed:8/29/2006
Keywords:kbHotfixServer ATdownload kbWinXPsp2fix kbBug kbfix KbSECVulnerability KbSECBulletin kbSecurity kbQFE kbWinServ2003preSP1fix kbWinXPpreSP2fix kbWinNT400PreSP7Fix KB823980 kbAudITPRO kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.