Big Windows Security Hole

by on Aug 4, 2003 | 0 comments

Perhaps in recent news (notably featured on CNN) you have heard about a major “Windows Security Hole” that many experts are warning of. Yes, there is a very important and dangerous hole in Windows NT/2000/XP/2003. However, there are a few simple steps you can take to secure yourself from this hole (and even future holes).


1. Know Thy Enemy


The hole is also known as the Windows DCOM-RPC exploit. It uses ports 135, 137, 139, and 445 (Windows service ports) to overflow and crash the RPC server on a victim’s computer. To use the exploit, all a hacker must know is your IP address. Everything else is easy from there. However, in order for the attack to work, you must be running an un-patched version of: Windows NT (SP 0,1,2,3,4,5,6), Windows 2000 (SP 0,1,2,3,4), Windows XP Home (SP 0,1), Windows XP Pro (SP 0,1), or Windows 2003 Server.


2. Download the Patch


http://www.microsoft.com/security/security_bulletins/ms03-026.asp


3. Block the Ports


Now, even though you have the patch, it is rumored that it does not work 100% of the time and is also sometimes hard to apply to different Windows installations, for one reason or another. That is why I recommend that you find a way to block ports 135, 137, 139, and 445. Here are a few ways, depending on your setup:



  • Block ‘em From Your Router/Firewall
    If your router is configured with a white list (ie. “Services”) erase any entries for ports 135, 137, 139, and 445. If it is configured with a blacklist (ie. “Access Control”), add entries for ports 135, 137, 139, and 445. Make sure that DMZ Host is not on, or you have accomplished nothing.

  • Block ‘em From Your Software Firewall
    An excellent software firewall choice is ZoneAlarm. If you install this program and set it on “Medium” or “High” security settings, it will block 135, 137, 139, and 445 by default. Otherwise, use whatever program you feel comfortable with and make sure you tell it to block those ports.

  • Call Up Your ISP
    Ask your ISP if they can block ports 135, 137, 139, and 445. If they can, it will eliminate a lot of Windows security worries.

There you have it. You are now safe from this big exploit. If you would like to learn more about it or would like to actually see the malicious code, head over to http://www.k-otik.com/exploits/07.30.dcom48.c.php. The source is standard C and to compile you must have cygwin.

Free eBook!

Like what you read?

If so, please join over 28,000 people who receive our exclusive weekly newsletter and computer tips, and get FREE COPIES of 5 eBooks we created, as our gift to you for subscribing. Just enter your name and email below:

Post A Comment Using Facebook

What’s Your Preference?

Daily Alerts

Each day we send out a quick email to thousands of PCMECH readers to notify them of new posts. This email is just a short, plain email with titles and links to our latest posts. You can unsubscribe from this service at any time.

You can subscribe to it by leaving your email address in the following field and confirming your subscription when you get an email asking you to do so.

Enter your email address for
Daily Updates:

Weekly Newsletter

Running for over 6 years, the PCMECH weekly newsletter helps you keep tabs on the world of tech. Each issue includes news bits, an article, an exclusive rant as well as a download of the week. This newsletter is subscribed to by over 28,000 readers (many who also subscribe to the other option) - come join the community!

To subscribe to this weekly newsletter simply add your email address to the following field and then follow the confirmation prompts. You will be able to unsubscribe at any time.

Enter your email address for
Free Weekly Newsletter: