Have you downloaded Microsoft's latest patch, documented in the Microsoft security bulletin MS03-039? This security bulletin was issued on September 10, 2003, but already researchers are finding working versions of code (called "exploits") for developing a worm that can take advantage of the security holes that MS03-039 fixes. These exploits are similar in nature to the ones that developed into the W32.Blaster and W32.Welchia worms that devastated servers last month. Those exploits--based upon a variant of the Nachi worm--shut down the likes of Canadian Airlines and caused major damage. If your organization is running Windows XP, 2000, or 2003, you should take note.

How the Exploit Works

At the core of the security flaw is Microsoft's Distributed Component Object Model (DCOM) and its mechanisms to handle Remote Procedure Calls (RPCs). DCOM (previously called "Network OLE") is a protocol that enables software components to communicate directly over a network. It was designed for use across multiple network transport protocols, including Internet protocols such as HTTP. RPC is a protocol that enables a program to request a service from a program located on another computer in a network.

Even if your systems are not using these technologies, they came packaged with Windows and are available for use. When used properly, they're extremely powerful. Unfortunately, it has now been revealed that DCOM has three serious flaws in its mechanisms: two buffer overrun flaws and a denial-of-service flaw.

If DCOM receives an improperly constructed RPC instruction, it can choke, causing it to halt the processing of the message from the remote machine. However, instead of halting its processing, DCOM's buffer overruns, allowing subsequent RPCs to be received in an unchecked manner into the Windows operating system, overwriting the program code in the main memory of the machine. This is akin to trying to fill your car's gas tank when it has a blocked filler tube: You can only get so much into the tank, and the rest floods out all over the pavement or into the car itself. One little spark, and you've changed your internal combustion engine into an externally combusted inferno. That's how W32.Blaster and W32.Welchia worked last month. Once the machine's operating system program code has been compromised by the RPC buffer overrun, the hacker will upload its own code into the machine, flooding the program stack with its own instructions, and then attempt to take control of the machine. Those worms then took advantage of DCOM's third flaw--the denial-of-service flaw--and began propagating itself along the network.

The next variants of worms and viruses are predicted to exploit Microsoft's DCOM security flaw in a similar manner. The current remedy includes getting the Microsoft security bulletin MS03-039 and updating your Windows OSs with the appropriate patch. For server administrators, it's also important to shut down the Internet ports 135, 139, and 445. This also goes for iSeries users who are running MS Windows on the IXA/IXS features.

How Soon?

Researchers at Counterpane Internet Security, Inc. found the first versions of the new exploit just days after Microsoft announced the patch for the DCOM overflow flaw on September 10. Though no new worms have yet been released at this writing, it's likely that we'll see a similar shutdown of Windows servers in the very near future.

The only "modern" version of Windows that is not affected by this security flaw is Windows ME--and that's simply because Microsoft didn't provide ME with the ability to field RPCs. However, Windows NT Server, Windows 2000, Windows XP, and Windows Server 2003 are all vulnerable and should be patched immediately.

Of special importance are those portable laptop computers that company officials take on the road. While the local server network may be protected by a firewall, these portables are often out in the unprotected real world, and they could potentially pick up a worm that is propagated on the external network and then infect the internal network when they return to the office. The patch described in security bulletin MS03-039 should help to alleviate this vulnerability.

Firewall Basics

If your users are running Windows 2000 or versions previous (Win 95/98), you should provide them with firewall protection. This is a piece of software or hardware that hides your real IP address from the Internet, protecting the system from allowing someone to take control over the operating system.

Windows XP and Windows Server 2003 have built-in firewall facilities, but they must be enabled to protect you and your users. For more information on how to enable these facilities, visit the Microsoft "Protect Your PC" Web site.

What If...

The importance of plugging these security flaws cannot be overstated, and making certain that you and your co-workers take appropriate action is really mandatory. This is not only for servers running Windows, but for client machines as well. Why? Because once an infection starts on an internal network, it will spread rapidly, hitting any vulnerable machine it can find. Some of the possibilities are as frightening as they can be, including the ability of a worm to reformat the hard drive; steal critical information from your system; and/or change information on Web sites or within files.

No one wants to be the victim of these exploits, but it's bound to happen sooner than later under the current security flaws of Windows operating systems. And, in the spirit of 9/11, it's essential that every member of the team actively question IT's preparedness for these potential onslaughts. It's no longer merely the responsibility of the tech team to identify and remedy security problems. If you are reading this on a computer or if you have a computer at home, you need to act and act quickly.

Visit the Microsoft Windows Update Web site and have the site scan your machine to make certain that you are up-to-date with security patches. If your system is "hopelessly" out of date, notify both IT and your supervisor that action needs to be taken now! Don't accept excuses from IT. If necessary, ask your supervisor for extra time to perform the tasks required to get make your system safe. And don't just stop at your work machine either. Make certain your home machine is protected, too.

If you don't know the level of your protection--or if you're blithely assuming that IT will solve the problems once they occur or that it's really "no big deal"--rethink that proposition carefully. The first letter in PC stands for "personal." Isn't it about time we got "personal" about our responsibility to keep our computers protected?

Thomas M. Stockwell is Editor in Chief of MC Press, LP.