Vulnerability in Microsoft Windows Exposes XP/2000 Computers to Worm Attacks - Again
Microsoft's security response unit is bracing for the worst after exploit code that offers a blueprint for attacks began circulating on the Internet.
On August 8, 2006, Microsoft released a dozen patches and fixes for Windows and Office products. One of those patches, MS06-040, fixes a vulnerability in the Windows Server Service, as follows:
Buffer Overrun in Server Service Vulnerability:There is a remote code execution vulnerability in Server Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.
That service is normally found and running on computers running Windows 2000, XP Home and Pro (32 and 64 bit), and Server 2003. If you don't apply the patch either via Windows Updates or by downloading from the aforementioned MS page, and you are not behind a firewall that blocks incoming unsolicited TCP traffic, your computer(s) will be at severe risk of being taken over by hackers or criminals, who will use them for their own nefarious purposes.
This vulnerability and the anticipated attacks to come any day now are similar to the infamous MSBlaster Worm attack of August 11, 2004. People who ignored the advise to apply Windows Updates in July 2004 and were not behind good firewalls had their computers invaded by the MSBlast Worm and many found them rebooting within 60 seconds after entering the Windows desktop (due to a RPC Buffer Overflow condition). The Blaster Worm spread from computer to computer over TCP, the protocol which computers use to communicate over the Internet. This new Server Service vulnerability is also attacked via TCP traffic directed to incoming TCP Ports 139 and 445.
If you haven't already received automatic Windows Updates go the the Windows Update website, using Internet Explorer, and download/install the available updates. If you are unable to obtain Windows Updates because your copy of Windows is pirated, or not legally licensed, at least get yourself behind a firewall as soon as possible. Windows XP has one built in that will stop incoming attacks. ZoneLabs ZoneAlarm is an excellent firewall, available in free and paid versions, and Sunbelt makes the free and paid Sunbelt-Kerio Personal Firewall.
If you are on a LAN behind a hardware router/firewall you are protected against unsolicited incoming TCP attacks, but not outgoing, phone-home threats that might sneak onto your computer. Do yourself a favor and get a software firewall installed onto all of your computers, whether or not they are behind a router. Routers have vulnerabilities also, some of which are being actively exploited right now. Without a software firewall you may be completely at the mercy of criminal attackers who want to add your computers to their BotNets. They will then use your computer to launch DDoS attacks or for use as spam relays.
I have created a webpage all about firewalls and TCP attacks, at: http://www.wizcrafts.net/ans/firewalls.html which is a child of my FAQs page.
Windows Live OneCare
Microsoft offers Windows Live OneCare, an automatically self-updating PC care service that runs quietly in the background. It helps provide persistent protection against viruses, hackers, and other threats, and helps keep your PC tuned up and your important documents backed up. For more details, see Windows Live OneCare at www.windowsonecare.com.
Details about activating the Windows XP firewall are in my extended comments --->
To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Internet Connection Firewall, which is included with Windows XP and with Windows Server 2003.
By default, the Internet Connection Firewall feature in Windows XP and in Windows Server 2003 helps protect your Internet connection by blocking unsolicited incoming traffic. We recommend that you block all unsolicited incoming communication from the Internet. In Windows XP Service Pack 2 this feature is called the Windows Firewall.
To enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.
To configure Internet Connection Firewall manually for a connection, follow these steps:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Networking and Internet Connections, and then click Network Connections.
3. Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.
4. Click the Advanced tab.
5. Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.
Note If you want to enable certain programs and services to communicate through the firewall, click Settings on the Advanced tab, and then select the programs, the protocols, and the services that are required.
� To help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature.
You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.
� To help protect from network-based attempts to exploit this vulnerability, block the affected ports by using IPSec on the affected systems.
Use Internet Protocol security (IPSec) to help protect network communications. Detailed information about IPSec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.