Security Alert: RPC Flaw in Windows NT, 2000, XP, and 2003
Updated 9/16/03 at 9:26am to include link to an on-line
RPC flaw tester
Today (9/10/03), Microsoft announced that the original RPC patches did
not fix all of the flaws in the RPC service in Windows. They have
released new patches that should now correct all of the RPC security
flaws. We strongly encourage everyone with a Windows NT,
2000, XP, or 2003 Server system to download and install these updated
patches, which are now available from this web page,
even if you installed the original patch.
There is a good chance that new Lovesan/Blaster-like viruses will be
created to take advantage of the RPC flaws that were not fixed with the
original patches.
There is a serious security flaw present in Windows NT Server, Windows
2000,
Windows XP, and Windows 2003 Server. Left untreated, this flaw could
allow a hacker to read, write, or delete files on your computer, or set up
user accounts on the computer that would allow them to take control of
your system at a later date. Worms and viruses such as Lovesan or
Blaster and Nachi
use this flaw to spread, and those worms are still very prevalent on the
Internet. We have seen numerous computers at UMCP that were
infected with these worms and viruses.
We strongly encourage everyone with one of the Windows
systems listed
above to download the small software patch that will fix the flaw.
We now
have a web page that will allow you to test and see if your computer still
needs to be patched with the latest RPC patch. Click on the link below to
perform the test:
Flaw Tester: http://itsecurity.umd.edu/rpc-scan.html
If the test says that your computer still appears to be vulnerable, you
will need to install the appropriate patch.
Simply click on the appropriate link from the
list of Windows versions below and follow any installation instructions
presented to you:
If you still have questions or problems regarding this patch, please refer
to the Common Questions and Answers
section below.
Further Technical Details
System administrators who would like to know more about what this RPC flaw
is and how it is exploited can read the more technical version of the
security alert from Microsoft (the newest alert released on 9/10/03) at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp
Common Questions and Answers
Question: When I start the installation of the patch for
Windows XP, it tells me that I should back up my system before I
proceed. Do I really need to do that?
Answer: That warning is merely standard advice Microsoft
gives during the installation of any update patches: there is no
compelling reason to back up your system before you install this patch.
Question: When I start the installation of the patch for
Windows 2000, it tells me that I should update my "system repair
disk". What is that, and should I do it?
Answer: The system repair disk, also referred to as the
Emergency Repair Disk, is a single floppy disk
that keeps a record of some key setting information about your machine,
and can sometimes be used to repair damage to the Windows 2000 operating
system. While it is not necessary to update this disk before installing
the patch, it is not a bad idea to do so. You can learn how to create or
update the Emergency Repair Disk at http://www.helpdesk.umd.edu/documents/3/3040/.
Question: I've just finished installing the patch, and
now it asks me to reboot my computer. Do I really need to do that?
Answer: Yes, you need to reboot your computer in order
for the patch to protect your system. If you haven't personally restarted
your computer in a long time, please make sure you know the username and
password you need in order to log in to the machine again once it has
restarted.
Question: I cannot install this patch or other software
on my computer because my local computer technical staff has set up my
machine that way. What should I do?
Answer: Ask your technical staff members if they have
already patched the machine (which is possible) or when they are going to
do so, and then let them handle it.
Question: I have to install Service Pack 2 (or Service
Pack 3) on my Windows 2000 computer before I can install the patch. How
long will installing the Service Pack take?
Answer: If you download the express installation version
of the Service Pack, it will probably take about 20 to 30 minutes to
install over the campus network. It will obviously take much longer if
you are using a dial-up connection.
Question: At the start of the installation for Service
Pack 2 (or Service Pack 3), it gives me the option of backing up my
current system files (which will require 60MB of hard drive
space). Should I do that?
Answer: If you still have plenty of space on your hard
drive, then it would be worth backing up the files as a precaution, not so
much because the patch could cause a problem, but because the changes made
by the Service Pack could potentially cause problems with any atypical
software you might run on your machine--saving the backup files would
allow you to reverse the installation of the Service Pack (using the
Add/Remove Programs feature in your Control Panel) if necessary.
Question: It says that Windows 2000 users might need to
install Service Pack 2 or Service Pack 3 in order to install the
patch. Can I install Service Pack 4 instead? If I already have Service
Pack 4, am I already protected from this flaw?
Answer: Yes, you can install Service Pack 4 instead of
Service Pack 2 or 3 from Microsoft's web page at http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp. Service
Pack 4 was released before this security flaw was discovered, so simply
installing Service Pack 4 will NOT protect you from this flaw: you must
still install the patch.
To learn how to sign up to receive alerts via email about any new viruses
that threaten the university, click here.
To return to the previous web page, click on the Back button of your web
browser.
To return to the main VNP web page, click here.
|
