Article ID: 331953
Article Last Modified on 12/1/2007
APPLIES TO
- Microsoft Windows XP Professional
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows 2000 Server
- Microsoft Windows NT Server 4.0 Standard Edition
- Microsoft Windows NT Workstation 4.0 Developer Edition
This article was previously published under Q331953
SYMPTOMS
There is a vulnerability in the part of the remote procedure call (RPC) functionality that deals with message exchange over TCP/IP. The vulnerability results because of incorrect handling of malformed messages. This particular vulnerability affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC Endpoint Mapper service allows RPC clients to determine the port number currently assigned to a particular RPC service.
CAUSE
Microsoft has provided updates to correct this vulnerability for Windows 2000 and Windows XP. Although Windows NT 4.0 is affected by this vulnerability, Microsoft cannot provide an update for this vulnerability for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability. Windows NT 4.0 users are strongly encouraged to use the workaround that is discussed in the MS03-10 Security Bulletin. You can use this workaround to help protect the Windows NT 4.0 system with a firewall that blocks Port 135. To view the MS03-10 Security Bulletin, visit the following Microsoft Web site:
Mitigating factors
- To exploit this vulnerability, the attacker would require the ability to connect to the Endpoint Mapper service that is running on the destination computer. For intranet environments, Endpoint Mapper is typically accessible. However, for Internet connected computers, the port that is used by Endpoint Mapper is typically blocked by a firewall. In a scenario where this port is not blocked or in an intranet configuration, the attacker would not require any additional administrative credentials.
- Best practices recommend blocking all TCP/IP ports that are not actually being used. Therefore, most computers attached to the Internet will have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments. For more information about how to secure RPC for client and server, visit the following Microsoft Web site:
For more information about the ports used by RPC, visit the following Microsoft Web site:
- This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to modify or retrieve data on the remote computer.
RESOLUTION
Service pack information
Windows XP
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack
Windows 2000
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 Service Pack
Update information
Download information
The following files are available for download from the Microsoft Download Center:
Windows XP Professional and Windows XP Home Edition
Windows XP 64-bit Edition:
Windows 2000
All languages except Japanese NEC:
Japanese NEC:
Release Date: March 25, 2003
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Prerequisites
The Windows 2000 version of this update requires Windows 2000 Service Pack 2 (SP2) or Windows 2000 Service Pack 3 (SP3).
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
Installation information
This update supports the following Setup program switches:
- /? : Display the list of installation switches.
- /u : Use Unattended mode.
- /f : Force other programs to quit when the computer shuts down.
- /n : Do not back up files for removal.
- /o : Overwrite OEM files without prompting.
- /z : Do not restart when installation is complete.
- /q : Use Quiet mode (no user interaction).
- /l : List installed hotfixes.
- /x : Extract the files without running the Setup program.
For example, to install the update without any user intervention, and then not to force the computer to restart, use the following command line:
q331953_wxp_sp2_x86_enu /u /q /z
To verify the update is installed on your computer, confirm that the following registry key exists:
Windows XP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q331953
Windows XP with Service Pack 1 (SP1):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q331953
Windows 2000:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q331953
Uninstall information
To remove this update, use the Add/Remove Programs tool in Control Panel.
System administrators can use the Spunist.exe utility to remove this update. Spuninst.exe is in the %Windir%\$NTUninstallQ331953$\Spuninst folder. The utility supports the following Setup program switches:
- /? : Display the list of installation switches.
- /u : Use unattended mode.
- /f : Force other programs to quit when the computer shuts down.
- /z : Do not restart when installation is complete.
- /q : Use Quiet mode (no user interaction).
Restart requirement
You must restart your computer after you apply this update because this update replaces core system binaries that are loaded during system startup. Your computer is vulnerable until you restart it.
File information
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows XP with Service Pack 1 (SP1)
Date Time Version Size File name ------------------------------------------------------ 07-Nov-2002 22:47 5.1.2600.1140 505,856 Rpcrt4.dll
Windows XP
Date Time Version Size File name ----------------------------------------------------- 08-Nov-2002 02:16 5.1.2600.105 439,296 Rpcrt4.dll
Windows 2000
Date Time Version Size File name ------------------------------------------------------ 25-Oct-2002 22:07 5.0.2195.6089 943,376 Ole32.dll 25-Oct-2002 22:07 5.0.2195.6106 429,840 Rpcrt4.dll 25-Oct-2002 22:07 5.0.2195.6089 184,592 Rpcss.dll
You can also verify the files that this update installed by reviewing the following registry key:
Windows XP with Service Pack 1 (SP1):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q331953\Filelist
Windows XP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q331953\Filelist
Windows 2000:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q331953\Filelist
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Windows XP
This problem was first corrected in Microsoft Windows XP Service Pack 2.
Windows 2000
This problem was first corrected in Microsoft Windows 2000 Service Pack 4.
MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:
Additional query words: security_patch
Keywords: atdownload kbwinxpsp2fix kberrmsg kbwin2ksp4fix kbsecvulnerability kbsecurity kbsecdos kbsecbulletin kbwinxppresp2fix kbbug kbfix kbwin2000presp4fix KB331953