Microsoft KB Archive/824146

= MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs =

Article ID: 824146

Article Last Modified on 9/27/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, 64-Bit Enterprise Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-





Technical update
Note This Bulletin (MS03-039) has been superceded by Microsoft Security Bulletin MS04-012.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

828741 MS04-012: Cumulative Update for Microsoft RPC/DCOM


 * September 12, 2003:
 * In the &quot;Download Information&quot; section for Windows XP, a note was added to indicate that the security patch for Windows XP 64-Bit Edition, Version 2003, is the same as the security patch for 64-bit versions of Windows Server 2003.
 * In the &quot;File Information&quot; section for Windows XP, registration information was added for the file manifests for 64-bit editions of Windows XP and for Windows XP without Service Pack 1 (SP1).
 * In the &quot;File Information&quot; sections, a note was added to indicate that the registry key for the file manifests for this security patch are not created when an administrator or an OEM integrates or slipstreams this security patch into their Windows installation source files.
 * In the &quot;Installation Information&quot; sections for Windows Server 2003 and for Windows XP, a note was added to indicate that MBSA Version 1.1.1 incorrectly reports that 824146 is not installed if your environment uses the RTMQFE versions of the files in this security patch on computers that are running Windows Server 2003 or Windows XP 64-Bit Edition, Version 2003.
 * The &quot;Download Information&quot; section and the &quot;Prerequisites&quot; section for Windows 2000 were updated to indicate that this security patch can be installed on Windows 2000 Datacenter Server Service Pack 3 (SP3) and Service Pack 4 (SP4).



SYMPTOMS
Remote Procedure Call (RPC) is a protocol that is used by Windows. RPC provides an inter-process communication mechanism that allows a program that is running on one computer to seamlessly access services on another computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft-specific extensions.

There are three identified vulnerabilities in the part of the Windows RPC service (RPCSS) that deals with RPC messages for DCOM activation. Two of the vulnerabilities could allow an attacker to run malicious programs; one of the vulnerabilities might result in a denial of service. The flaws result from incorrect handling of malformed messages. These vulnerabilities affect the Distributed Component Object Model (DCOM) interface in RPCSS. This interface handles DCOM object activation requests that are sent by client computers to the server.

An attacker who successfully exploits these vulnerabilities might be able to run code with Local System rights on an affected computer, or could cause RPCSS to stop working. The attacker could then take any action on the computer, including installing programs, viewing, changing, or deleting data, or creating new accounts with full rights.

To exploit these vulnerabilities, an attacker could create an exploit program to send a malformed RPC message that targets RPCSS on a vulnerable server.

Mitigating factors
 Firewall best practices and standard default firewall configurations can help to protect networks from remote attacks that originate outside the enterprise perimeter. Best practices recommend that you block all the ports that are not actually being used. Therefore, most computers that are attached to the Internet should have a minimal number of the affected ports exposed. For more information about the ports that are used by RPC, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfc_por_gdqc.mspx?mfr=true



Note Microsoft tested Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0, Terminal Server Edition, Windows 2000, Windows XP, and Windows Server 2003 to assess whether they are affected by these vulnerabilities. Microsoft Windows Millennium Edition (Me) does not include the features that are associated with these vulnerabilities. Earlier versions of Windows are no longer supported, and may or may not be affected by these vulnerabilities. For additional information about the Microsoft support life cycle, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;en-us;lifecycle

Note The features that are associated with these vulnerabilities are also not included with Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows 98 Second Edition, even if DCOM is installed.



Security patch information
For information about how to resolve this vulnerability, click the appropriate link:
 * Windows Server 2003 (all versions)
 * Windows XP (all versions)
 * Windows 2000 (all versions)
 * Windows NT 4.0 (all versions)

Download information
The following files are available for download from the Microsoft Download Center:

Windows Server 2003, Enterprise Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition; and Windows Server 2003, Datacenter Edition

Download the 824146 package now.

Windows Server 2003, 64-Bit Enterprise Edition and Windows Server 2003, 64-Bit Datacenter Edition

Download the 824146 package now.

Release Date: September 10, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
This security patch requires a released version of Windows Server 2003.

Installation information
This security patch supports the following Setup switches:
 * /?: Show the list of installation switches.
 * /u: Use Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up files for removal.
 * /o: Overwrite OEM files without prompting.
 * /z: Do not restart when the installation is complete.
 * /q: Use Quiet mode (no user interaction).
 * /l: List the installed hotfixes.
 * /x: Extract the files without running Setup.

To verify that the security patch is installed on your computer, use the KB 824146 scanning tool (KB824146scan.exe) or use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about KB824146scan.exe, click the following article number to view the article in the Microsoft Knowledge Base:

827363 How to use the KB 824146 Scanning tool to identify host computers that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed

For more information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available

Note MBSA Version 1.1.1 incorrectly reports that 824146 is not installed if the RTMQFE versions of the files for this security patch are used in your environment.

You may also be able to verify that this security patch is installed by confirming that the following registry key exists:

Deployment information
To install the security patch without any user intervention, use the following command line:

 Windowsserver2003-kb824146-x86-enu /u /q 

To install the security patch without forcing the computer to restart, use the following command line:

 Windowsserver2003-kb824146-x86-enu /z 

Note You can combine these switches into one command line.

For information about how to deploy this security patch with Microsoft Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart requirement
You must restart your computer after you apply this security patch.

Removal information
To remove this update, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB824146$\Spuninst folder, and it supports the following Setup switches:
 * /?: Show the list of installation switches.
 * /u: Use unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /z: Do not restart when the installation is complete.
 * /q: Use Quiet mode (no user interaction).

Security patch replacement information
This security patch replaces MS03-026 (823980). For additional information about MS03-026 (823980), click the following article number to view the article in the Microsoft Knowledge Base:

823980 MS03-026: Buffer overrun in RPC may allow code execution

File information
The English version of this has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition, and Windows Server 2003, Datacenter Edition:   Date         Time   Version      Size       File name   Folder --  23-Aug-2003  18:56  5.2.3790.80  1,183,744  Ole32.dll   RTMGDR 23-Aug-2003 18:56  5.2.3790.76    657,920  Rpcrt4.dll  RTMGDR 23-Aug-2003 18:56  5.2.3790.80    284,672  Rpcss.dll   RTMGDR 23-Aug-2003 18:48  5.2.3790.80  1,183,744  Ole32.dll   RTMQFE 23-Aug-2003 18:48  5.2.3790.76    658,432  Rpcrt4.dll  RTMQFE 23-Aug-2003 18:48  5.2.3790.80    285,184  Rpcss.dll   RTMQFE Windows Server 2003, 64-Bit Enterprise Edition and Windows Server 2003, 64-Bit Datacenter Edition:   Date         Time   Version      Size       File name    Platform  Folder -  23-Aug-2003  18:56  5.2.3790.80  3,551,744  Ole32.dll    IA64      RTMGDR 23-Aug-2003 18:56  5.2.3790.76  2,127,872  Rpcrt4.dll   IA64      RTMGDR 23-Aug-2003 18:56  5.2.3790.80    665,600  Rpcss.dll    IA64      RTMGDR 23-Aug-2003 18:56  5.2.3790.80  1,183,744  Wole32.dll   x86       RTMGDR 23-Aug-2003 18:56  5.2.3790.76    539,648  Wrpcrt4.dll  x86       RTMGDR 23-Aug-2003 18:48  5.2.3790.80  3,551,232  Ole32.dll    IA64      RTMQFE 23-Aug-2003 18:48  5.2.3790.76  2,128,384  Rpcrt4.dll   IA64      RTMGDR 23-Aug-2003 18:48  5.2.3790.80    666,624  Rpcss.dll    IA64      RTMGDR 23-Aug-2003 18:48  5.2.3790.80  1,183,744  Wole32.dll   x86       RTMGDR 23-Aug-2003 18:48  5.2.3790.76    539,648  Wrpcrt4.dll  x86       RTMGDR Note When you install this security patch on a Windows Server 2003-based computer or on a Windows XP 64-Bit Edition Version 2003-based computer, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

824994 Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

Note This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824146 security patch into the Windows installation source files.

Windows XP (all versions)
To resolve this problem, obtain the latest service pack for Windows XP. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

811113 List of fixes included in Windows XP Service Pack 2

Download information
The following files are available for download from the Microsoft Download Center:

Windows XP Home Edition, Windows XP Professional, Windows XP Tablet PC Edition, and Windows XP Media Center Edition

Download the 824146 package now.

Windows XP 64-Bit Edition Version 2002

Download the 824146 package now.

Windows XP 64-Bit Edition Version 2003

Download the 824146 package now.

Note For Windows XP 64-Bit Edition, Version 2003, this security patch is the same as the security patch for 64-bit versions of Windows Server 2003. Release Date: September 10, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
This security patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack

Installation information
This security patch supports the following Setup switches:
 * /?: Show the list of installation switches.
 * /u: Use Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up files for removal.
 * /o: Overwrite OEM files without prompting.
 * /z: Do not restart when the installation is complete.
 * /q: Use Quiet mode (no user interaction).
 * /l: List the installed hotfixes.
 * /x: Extract the files without running Setup.

To verify that the security patch is installed on your computer, use the KB 824146 scanning tool (KB824146scan.exe) or use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about KB824146scan.exe, click the following article number to view the article in the Microsoft Knowledge Base:

827363 How to use the KB 824146 Scanning tool to identify host computers that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed

For more information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available

Note MBSA Version 1.1.1 incorrectly reports that 824146 is not installed if the RTMQFE versions of the files for this security patch are used on a computer that is running Windows XP 64-Bit Edition, Version 2003.

You may also be able to verify that the security patch is installed on your computer by confirming that the following registry key exists:

Windows XP

Windows XP with Service Pack 1 (SP1)

Windows XP 64-Bit Edition Version 2003

Deployment Information
To install the security patch without any user intervention, use the following command line:

 Windowsxp-kb824146-x86-enu /u /q 

To install the security patch without forcing the computer to restart, use the following command line:

 Windowsxp-kb824146-x86-enu /z 

Note You can combine these switches into one command line.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart requirement
You must restart your computer after you apply this security patch.

Removal information
To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB824146$\Spuninst folder, and it supports the following Setup switches:
 * /?: Show the list of installation switches.
 * /u: Use unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /z: Do not restart when the installation is complete.
 * /q: Use Quiet mode (no user interaction).

Security patch replacement information
This security patch replaces MS03-026 (823980). For additional information about MS03-026 (823980), click the following article number to view the article in the Microsoft Knowledge Base:

823980 MS03-026: Buffer overrun in RPC may allow code execution

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Home Edition, Windows XP Professional, Windows XP Tablet PC Edition, and Windows XP Media Center Edition:   Date         Time   Version        Size       File name ---  25-Aug-2003  22:29  5.1.2600.118   1,093,632  Ole32.dll  (pre-SP1) 25-Aug-2003 22:29  5.1.2600.109     439,296  Rpcrt4.dll (pre-SP1) 25-Aug-2003 22:29  5.1.2600.118     204,288  Rpcss.dll  (pre-SP1) 25-Aug-2003 18:53  5.1.2600.1263  1,172,992  Ole32.dll  (with SP1) 25-Aug-2003 18:53  5.1.2600.1254    532,480  Rpcrt4.dll (with SP1) 25-Aug-2003 18:53  5.1.2600.1263    260,608  Rpcss.dll  (with SP1) Windows XP 64-Bit Edition Version 2002:   Date         Time   Version        Size       File name    Platform --  25-Aug-2003  19:30  5.1.2600.118   4,195,840  Ole32.dll    IA64 (pre-SP1) 25-Aug-2003 19:30  5.1.2600.109   2,025,472  Rpcrt4.dll   IA64 (pre-SP1) 25-Aug-2003 19:30  5.1.2600.118     741,888  Rpcss.dll    IA64 (pre-SP1) 20-Aug-2003 18:16  5.1.2600.118   1,093,632  Wole32.dll   x86  (pre-SP1) 02-Jan-2003 23:06  5.1.2600.109     440,320  Wrpcrt4.dll  x86  (pre-SP1) 27-Aug-2003 18:12  5.1.2600.1263  4,296,192  Ole32.dll    IA64 (with SP1) 27-Aug-2003 18:12  5.1.2600.1254  2,298,880  Rpcrt4.dll   IA64 (with SP1) 27-Aug-2003 18:12  5.1.2600.1263    742,400  Rpcss.dll    IA64 (with SP1) 27-Aug-2003 17:27  5.1.2600.1263  1,172,992  Wole32.dll   x86  (with SP1) 02-Aug-2003 22:14  5.1.2600.1254    506,880  Wrpcrt4.dll  x86  (with SP1) Windows XP 64-Bit Edition Version 2003:   Date         Time   Version      Size       File name    Platform  Folder -  23-Aug-2003  18:56  5.2.3790.80  3,551,744  Ole32.dll    IA64      RTMGDR 23-Aug-2003 18:56  5.2.3790.76  2,127,872  Rpcrt4.dll   IA64      RTMGDR 23-Aug-2003 18:56  5.2.3790.80    665,600  Rpcss.dll    IA64      RTMGDR 23-Aug-2003 18:56  5.2.3790.80  1,183,744  Wole32.dll   x86       RTMGDR 23-Aug-2003 18:56  5.2.3790.76    539,648  Wrpcrt4.dll  x86       RTMGDR 23-Aug-2003 18:48  5.2.3790.80  3,551,232  Ole32.dll    IA64      RTMQFE 23-Aug-2003 18:48  5.2.3790.76  2,128,384  Rpcrt4.dll   IA64      RTMGDR 23-Aug-2003 18:48  5.2.3790.80    666,624  Rpcss.dll    IA64      RTMGDR 23-Aug-2003 18:48  5.2.3790.80  1,183,744  Wole32.dll   x86       RTMGDR 23-Aug-2003 18:48  5.2.3790.76    539,648  Wrpcrt4.dll  x86       RTMGDR Notes  When you install the Windows XP 64-Bit Edition Version 2003 security patch, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

824994 Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages

 The Windows XP and Windows XP 64-Bit Edition Version 2002 versions of this security patch are packaged as dual-mode packages. Dual-mode packages contain files for both the original version of Windows XP and Windows XP Service Pack 1 (SP1). For additional information about dual-mode packages, click the following article number to view the article in the Microsoft Knowledge Base:

328848 Description of dual-mode update packages for Windows XP

</li></ul>

You may also be able to verify the files that this security patch installed by reviewing the following registry keys:

For Windows XP Home Edition SP1; Windows XP Professional SP1; Windows XP 64-Bit Edition, Version 2002 SP1; Windows XP Tablet PC Edition; Windows XP Media Center Edition:

For Windows XP Home Edition; Windows XP Professional; Windows XP 64-Bit Edition, Version 2002:

For Windows XP 64-Bit Edition, Version 2003:

Note This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824146 security patch into the Windows installation source files.

To resolve this problem, obtain Update Rollup 1 for Windows 2000 SP4. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

891861 Update Rollup 1 for Windows 2000 SP4 and known issues

Download information
The following file is available for download from the Microsoft Download Center:

Download the 824146 package now.

Release Date: September 10, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
For Windows 2000 Datacenter Server, this security patch requires Service Pack 3 (SP3). For other versions of Windows 2000, this security patch requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).

Note Windows 2000 Service Pack 2 has reached the end its life cycle as previously documented, and Microsoft does not typically provide generally available security patches for this product. However, because of the nature of this vulnerability, because the end-of-life occurred very recently, and because many customers are currently running Windows 2000 Service Pack 2, Microsoft has decided to make an exception for this vulnerability.

Microsoft does not anticipate doing this for future vulnerabilities, but reserves the right to produce and make available security patches when they are necessary. Microsoft urges customers with existing Windows 2000 Service Pack 2-based computers to migrate those computers to supported Windows versions to prevent exposure to future vulnerabilities. For information about the Windows desktop product life cycle, visit the following Microsoft Web site:

http://www.microsoft.com/windows/lifecycle/default.mspx

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Installation information
This security patch supports the following Setup switches:
 * /?: Show the list of installation switches.
 * /u: Use Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up files for removal.
 * /o: Overwrite OEM files without prompting.
 * /z: Do not restart when the installation is complete.
 * /q: Use Quiet mode (no user interaction).
 * /l: List the installed hotfixes.
 * /x: Extract the files without running Setup.

To verify that the security patch is installed on your computer, use the KB 824146 scanning tool (KB824146scan.exe) or the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about KB824146scan.exe, click the following article number to view the article in the Microsoft Knowledge Base:

827363 How to use the KB 824146 Scanning tool to identify host computers that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed

For more information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available

You may also be able to verify that the security patch is installed on your computer by confirming that the following registry key exists:

Deployment information
To install the security patch without any user intervention, use the following command line:

 Windows2000-kb824146-x86-enu /u /q 

To install the security patch without forcing the computer to restart, use the following command line:

 Windows2000-kb824146-x86-enu /z 

Note You can combine these switches into one command line.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart requirement
You must restart your computer after you apply this security patch.

Removal information
To remove this security patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB824146$\Spuninst folder, and it supports the following Setup switches:
 * /?: Show the list of installation switches.
 * /u: Use unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /z: Do not restart when the installation is complete.
 * /q: Use Quiet mode (no user interaction).

Security patch replacement information
This security patch replaces MS03-026 (823980). For additional information about MS03-026 (823980), click the following article number to view the article in the Microsoft Knowledge Base:

823980 MS03-026: Buffer overrun in RPC may allow code execution

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. <pre class="fixed_text">  Date         Time   Version        Size     File name --  23-Aug-2003  18:48  5.0.2195.6810  945,936  Ole32.dll 23-Aug-2003 18:48  5.0.2195.6802  432,912  Rpcrt4.dll 23-Aug-2003 18:48  5.0.2195.6810  192,272  Rpcss.dll You may also be able to verify the files that this security patch installed by reviewing the following registry key:

Note This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824146 security patch into the Windows installation source files.

Download information
The following files are available for download from the Microsoft Download Center:

Windows NT Workstation 4.0

Download the 824146 package now.

Windows NT Server 4.0

Download the 824146 package now.

Windows NT Server 4.0, Terminal Server Edition

Download the 824146 package now.

Release Date: September 10, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
This security patch requires Windows NT Server 4.0 Service Pack 6a (SP6a), Windows NT Workstation 4.0 Service Pack 6a (SP6a), or Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 (SP6).

Note Windows NT Workstation 4.0 has reached the end its life cycle as previously documented, and Microsoft does not typically provide generally available security patches for this product. However, because of the nature of this vulnerability, because the end-of-life occurred very recently, and because many customers are currently running Windows NT Workstation 4.0, Microsoft has decided to make an exception for this vulnerability.

Microsoft does not anticipate doing this for future vulnerabilities, but reserves the right to produce and make available security patches when they are necessary. Microsoft urges customers with existing Windows NT Workstation 4.0-based computers to migrate those computers to supported Windows versions to prevent exposure to future vulnerabilities. For information about the Windows desktop product life cycle, visit the following Microsoft Web site:

http://www.microsoft.com/windows/lifecycle/default.mspx

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack

Installation information
This security patch supports the following Setup switches:


 * /y: Perform removal (only with /m or /q ).
 * /f: Force programs to quit during the shutdown process.
 * /n: Do not create an Uninstall folder.
 * /z: Do not restart when the update completes.
 * /q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
 * /m: Use Unattended mode with a user interface.
 * /l: List the installed hotfixes.
 * /x: Extract the files without running Setup.

To verify that the security patch is installed on your computer, use the KB 824146 scanning tool (KB824146scan.exe) or the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about KB824146scan.exe, click the following article number to view the article in the Microsoft Knowledge Base:

827363 How to use the KB 824146 Scanning tool to identify host computers that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed

For more information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available

You may also be able to verify that the security patch is installed on your computer by confirming that the following registry key exists:

Deployment information
To install the security patch without any user intervention, use the following command line:

 Windowsnt4server-kb824146-x86-enu /q 

To install the security patch without forcing the computer to restart, use the following command line:

 Windowsnt4server-kb824146-x86-enu /z 

Note You can combine these switches into one command line.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart requirement
You must restart your computer after you apply this security patch.

Removal information
To remove this security patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Hotfix.exe utility to remove this security patch. The Hotfix.exe utility is located in the %Windir%\$NTUninstallKB824146$ folder. The utility supports the following Setup switches:
 * /y: Perform removal (only with the /m or /q switch).
 * /f: Force programs to quit during the shutdown process.
 * /n: Do not create an Uninstall folder.
 * /z: Do not restart when the installation is complete.
 * /q: Use Quiet or Unattended mode with no user interface (this switch is a superset of the /m switch).
 * /m: Use Unattended mode with a user interface.
 * /l: List the installed hotfixes.

Security patch replacement information
This security patch replaces MS03-026 (823980). For additional information about MS03-026 (823980), click the following article number to view the article in the Microsoft Knowledge Base:

823980 MS03-026: Buffer overrun in RPC may allow code execution

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows NT Server 4.0: <pre class="fixed_text">  Date         Time   Version        Size     File name --  11-Aug-2003  11:29  4.0.1381.7230  701,200  Ole32.dll 11-Aug-2003 11:29  4.0.1381.7230  345,872  Rpcrt4.dll 11-Aug-2003 11:29  4.0.1381.7230  107,792  Rpcss.exe Windows NT Server 4.0, Terminal Server Edition: <pre class="fixed_text">  Date         Time   Version         Size     File name ---  11-Aug-2003  12:30  4.0.1381.33551  701,712  Ole32.dll 11-Aug-2003 12:14  4.0.1381.33551  345,360  Rpcrt4.dll 11-Aug-2003 12:30  4.0.1381.33551  109,328  Rpcss.exe Windows NT Workstation 4.0: <pre class="fixed_text">  Date         Time   Version        Size     File name --  11-Aug-2003  11:29  4.0.1381.7230  701,200  Ole32.dll 11-Aug-2003 11:29  4.0.1381.7230  345,872  Rpcrt4.dll 11-Aug-2003 11:29  4.0.1381.7230  107,792  Rpcss.exe You may also be able to verify the files that this security patch installed by reviewing the following registry key:

Note This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824146 security patch into the Windows installation source files.

<div class="workaround_section">

WORKAROUND
Although Microsoft urges all customers to apply the security patch at the earliest possible opportunity, there are some workarounds that you can use to help prevent the vector that is used to exploit this vulnerability in the interim. There is no guarantee that these workarounds will block all possible attack vectors.

Note These workarounds are temporary measures because they only help to block paths of attack instead of correcting the underlying vulnerability.  Block UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593 at your firewall. Also disable COM Internet Services (CIS) and RPC over HTTP. CIS and RPC over HTTP listen on ports 80 and 443 on the affected computers.

These ports are used to initiate an RPC connection with a remote computer. Blocking them at the firewall helps to prevent computers that are located behind the firewall from being attacked by attempts to exploit these vulnerabilities. Also block any other specifically configured RPC port on the remote computer.

If they are enabled, CIS and RPC over HTTP allow DCOM calls to operate over TCP port 80 (and port 443 on Windows XP and Windows Server 2003). Make sure that CIS and RPC over HTTP are disabled on all the affected computers. For additional information about how to disable CIS, click the following article number to view the article in the Microsoft Knowledge Base:

825819 How to remove COM Internet Services (CIS) and RPC over HTTP proxy support

For additional information about RPC over HTTP, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa378642.aspx

</li> Use Internet Connection Firewall (ICF), and disable COM Internet Services (CIS) and RPC over HTTP. CIS and RPC over HTTP listen on ports 80 and 443 on the affected computers.

If you are using the ICF feature in Windows XP or in Windows Server 2003 to help to protect your Internet connection, ICF blocks inbound RPC traffic from the Internet by default.

Note ICF is available in Windows XP, Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition. Basic Firewall is a component of Routing and Remote Access that you can enable for any public interface on a computer that is running Routing and Remote Access and that is a member of the Windows Server 2003 family.

Make sure that CIS and RPC over HTTP are disabled on all affected computers. For additional information about how to disable CIS, click the following article number to view the article in the Microsoft Knowledge Base:

825819 How to remove COM Internet Services (CIS) and RPC over HTTP proxy support

For additional information about RPC over HTTP, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa378642.aspx

</li> Block the affected ports by using an Internet protocol security (IPSec) filter, and disable COM Internet Services (CIS) and RPC over HTTP. CIS and RPC over HTTP listen on ports 80 and 443 on the affected computers.

You can help to enhance the security of network communications on Windows 2000-based computers if you use IPSec. For additional information about IPSec and about how to use IP filter lists in Windows 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base:

313190 How to use IPSec IP filter lists in Windows 2000

813878 How to block specific network protocols and ports by using IPSec

Make sure that CIS and RPC over HTTP are disabled on all affected computers. For additional information about how to disable CIS, click the following article number to view the article in the Microsoft Knowledge Base:

825819 How to remove COM Internet Services (CIS) and RPC over HTTP proxy support

For additional information about RPC over HTTP, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa378642.aspx

</li> Disable DCOM on all affected computers. When a computer is part of a network, the DCOM wire protocol permits COM objects on that computer to communicate with COM objects on other computers.

You can disable DCOM for a computer to help to protect against this vulnerability, but doing so disables all communication between objects on that computer and objects on other computers. If you disable DCOM on a remote computer, you cannot remotely access that computer to enable DCOM again. To enable DCOM again, you must have physical access to that computer. For additional information about how to disable DCOM, click the following article number to view the article in the Microsoft Knowledge Base:

825750 How to disable DCOM support in Windows

Note For Windows 2000, the methods that Microsoft Knowledge Base article 825750 describes work only on computers that are running Service Pack 3 or later. Customers who are using Service Pack 2 or earlier must upgrade to a later service pack or use another workaround.</li></ul>

<div class="status_section">

STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 4.

<div class="moreinformation_section">

MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx

For more information about helping to secure RPC for clients and servers, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa379441.aspx

For more information about the ports that are used by RPC, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfc_por_gdqc.mspx?mfr=true

Additional query words: security_patch

Keywords: kbbug kbfix kbsecvulnerability kbqfe kbsecurity kbwinnt400presp7fix kbsecbulletin kbwinxppresp2fix kbwin2000presp5fix kbwinserv2003presp1fix kbhotfixserver KB824146

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.