Big Windows Security Hole

Recommended: Click Here to Run a Free Scan for PC errors
Posted Aug 4, 2003 | by zorkshin  

Perhaps in recent news (notably featured on CNN) you have heard about a major “Windows Security Hole” that many experts are warning of. Yes, there is a very important and dangerous hole in Windows NT/2000/XP/2003. However, there are a few simple steps you can take to secure yourself from this hole (and even future holes).


1. Know Thy Enemy


The hole is also known as the Windows DCOM-RPC exploit. It uses ports 135, 137, 139, and 445 (Windows service ports) to overflow and crash the RPC server on a victim’s computer. To use the exploit, all a hacker must know is your IP address. Everything else is easy from there. However, in order for the attack to work, you must be running an un-patched version of: Windows NT (SP 0,1,2,3,4,5,6), Windows 2000 (SP 0,1,2,3,4), Windows XP Home (SP 0,1), Windows XP Pro (SP 0,1), or Windows 2003 Server.


2. Download the Patch


http://www.microsoft.com/security/security_bulletins/ms03-026.asp


3. Block the Ports


Now, even though you have the patch, it is rumored that it does not work 100% of the time and is also sometimes hard to apply to different Windows installations, for one reason or another. That is why I recommend that you find a way to block ports 135, 137, 139, and 445. Here are a few ways, depending on your setup:



  • Block ‘em From Your Router/Firewall
    If your router is configured with a white list (ie. “Services”) erase any entries for ports 135, 137, 139, and 445. If it is configured with a blacklist (ie. “Access Control”), add entries for ports 135, 137, 139, and 445. Make sure that DMZ Host is not on, or you have accomplished nothing.

  • Block ‘em From Your Software Firewall
    An excellent software firewall choice is ZoneAlarm. If you install this program and set it on “Medium” or “High” security settings, it will block 135, 137, 139, and 445 by default. Otherwise, use whatever program you feel comfortable with and make sure you tell it to block those ports.

  • Call Up Your ISP
    Ask your ISP if they can block ports 135, 137, 139, and 445. If they can, it will eliminate a lot of Windows security worries.

There you have it. You are now safe from this big exploit. If you would like to learn more about it or would like to actually see the malicious code, head over to http://www.k-otik.com/exploits/07.30.dcom48.c.php. The source is standard C and to compile you must have cygwin.

Which Of These Traits Applies To YOUR Computing Life?...

Leave a Reply