Why you must install a firewall -- now
Published: 17 Oct 2003
If you haven't already installed a personal firewall on your Windows computer, consider this your last warning. MSBlast, the worm that exploited the buffer overflow in Windows' DCOM RPC protocol, wasn't the sort of email-borne pest that anti-virus software is good at catching. Instead, it infiltrated computers directly through their Internet connections.
Although installing the latest Microsoft patches should prevent infections from this sort of worm, a simple software firewall will do the trick, too, whether or not you have anti-virus software installed.
A new critical Microsoft flaw
I mention this because Microsoft announced another critical flaw affecting DCOM RPC and released a new patch to fix it that supersedes the previous patch for this protocol. While there are still no public exploits that take advantage of this flaw (exploits are often precursors to major worms), the clock is ticking. History has shown that worms are usually released within 30 days of a major vulnerability announcement. In July, for example, Microsoft reported and patched a buffer-overflow vulnerability in RPC based on the work of the Last Stage of Delirium Research Group. The MSBlast worm, which capitalised on this vulnerability, appeared on August 12.
In September, based on additional research by the companies eEye Digital Security, NSFocus and Tenable Network Security, Microsoft reported two more buffer overflows and one denial-of-service vulnerability within its RPC protocol. The fact that it is similar to the first flaw could mean a shorter timeline to the next major RPC worm.
The Remote Procedure Call (RPC) is a protocol used by the Windows operating system. It's based on an RPC protocol from the Open Software Foundation, but it's the Microsoft-specific parts that are afflicted with vulnerabilities. The Distributed Component Model (DCOM), previously called Network Object Linking and Embedding (OLE), is a service that allows software on one computer to communicate directly with software on other computers over a network. In short, DCOM RPC in Windows allows a program on one machine to run code on another machine. To do so, a Windows computer must first listen on a dedicated port, usually 135.
The Microsoft touch
Microsoft added DCOM to Windows NT, and eventually to Windows 95, around 1996. Previously, OLE was primarily used on a single computer and for relatively simple tasks, such as allowing Excel to import text from Word. When an early Windows computer was first hooked up to a network, however, these associations were strained as files were shared and sent to other computers elsewhere on the network. DCOM allowed Windows applications to share objects no matter where the original objects were stored.
The problem is that RPC, like other services that use DCOM, is turned on by default for all Windows versions, whether or not you are working on a network. Also, when your system is connected to the Internet, DCOM makes Windows automatically listen on port 135 (and others) for remote signals. This means that a hacker need only construct a special message and aim it at port 135 on your Windows computer to cause a buffer-overflow error. The buffer overflow, in turn, could replace part of a program's original code with new code.
That's how a hacker could use this flaw to take over your computer remotely. Upon seizing control of your computer, a hacker could then reformat the hard drive, use the computer to damage other computers or steal personal data (note: this description makes it sound easier than it truly is to execute).
Prevention protection
What can you do to protect yourself? The best solution is to download and install the patches for these new RPC flaws immediately, which you can do at the Windows Update site. More information can be found on Microsoft's Protect Your PC page. For added safety, we also recommend installing a personal firewall if you haven't already. Windows XP includes a nominal personal firewall, but we recommend the free version of ZoneAlarm. If you like what you see (the user interface is intuitive and easy to use), consider buying the full version, ZoneAlarm Pro 4.0, to get maximum protection and extra features, such as pop-up killers.
These days, we consider a personal firewall, along with anti-virus software, to be a requirement if you connect your PC to the Internet. There are 65,000 ports on a computer, of which the DCOM RPC protocol uses 8. Activity on any of these ports could signal the presence of a new RPC-based worm. But without a firewall, you'd never know the worm was attacking your system. Now, you can't say you weren't warned.
Did you find this article useful?
30 out of 58 people found this useful
