Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs


View products that this article applies to.

Technical update


Note This Bulletin (MS03-039) has been superceded by Microsoft Security Bulletin MS04-012.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
828741 MS04-012: Cumulative Update for Microsoft RPC/DCOM

  • September 12, 2003:
    • In the "Download Information" section for Windows XP, a note was added to indicate that the security patch for Windows XP 64-Bit Edition, Version 2003, is the same as the security patch for 64-bit versions of Windows Server 2003.
    • In the "File Information" section for Windows XP, registration information was added for the file manifests for 64-bit editions of Windows XP and for Windows XP without Service Pack 1 (SP1).
    • In the "File Information" sections, a note was added to indicate that the registry key for the file manifests for this security patch are not created when an administrator or an OEM integrates or slipstreams this security patch into their Windows installation source files.
    • In the "Installation Information" sections for Windows Server 2003 and for Windows XP, a note was added to indicate that MBSA Version 1.1.1 incorrectly reports that 824146 is not installed if your environment uses the RTMQFE versions of the files in this security patch on computers that are running Windows Server 2003 or Windows XP 64-Bit Edition, Version 2003.
    • The "Download Information" section and the "Prerequisites" section for Windows 2000 were updated to indicate that this security patch can be installed on Windows 2000 Datacenter Server Service Pack 3 (SP3) and Service Pack 4 (SP4).

↑ Back to the top


Symptoms

Remote Procedure Call (RPC) is a protocol that is used by Windows. RPC provides an inter-process communication mechanism that allows a program that is running on one computer to seamlessly access services on another computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft-specific extensions.

There are three identified vulnerabilities in the part of the Windows RPC service (RPCSS) that deals with RPC messages for DCOM activation. Two of the vulnerabilities could allow an attacker to run malicious programs; one of the vulnerabilities might result in a denial of service. The flaws result from incorrect handling of malformed messages. These vulnerabilities affect the Distributed Component Object Model (DCOM) interface in RPCSS. This interface handles DCOM object activation requests that are sent by client computers to the server.

An attacker who successfully exploits these vulnerabilities might be able to run code with Local System rights on an affected computer, or could cause RPCSS to stop working. The attacker could then take any action on the computer, including installing programs, viewing, changing, or deleting data, or creating new accounts with full rights.

To exploit these vulnerabilities, an attacker could create an exploit program to send a malformed RPC message that targets RPCSS on a vulnerable server.

Mitigating factors

  • Firewall best practices and standard default firewall configurations can help to protect networks from remote attacks that originate outside the enterprise perimeter. Best practices recommend that you block all the ports that are not actually being used. Therefore, most computers that are attached to the Internet should have a minimal number of the affected ports exposed. For more information about the ports that are used by RPC, visit the following Microsoft Web site:
Note Microsoft tested Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0, Terminal Server Edition, Windows 2000, Windows XP, and Windows Server 2003 to assess whether they are affected by these vulnerabilities. Microsoft Windows Millennium Edition (Me) does not include the features that are associated with these vulnerabilities. Earlier versions of Windows are no longer supported, and may or may not be affected by these vulnerabilities. For additional information about the Microsoft support life cycle, visit the following Microsoft Web site: Note The features that are associated with these vulnerabilities are also not included with Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows 98 Second Edition, even if DCOM is installed.

↑ Back to the top


Resolution

Security patch information

For information about how to resolve this vulnerability, click the appropriate link:

Windows Server 2003 (all versions)

Download information

The following files are available for download from the Microsoft Download Center:


Windows Server 2003, Enterprise Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition; and Windows Server 2003, Datacenter Edition Windows Server 2003, 64-Bit Enterprise Edition and Windows Server 2003, 64-Bit Datacenter Edition Release Date: September 10, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

This security patch requires a released version of Windows Server 2003.

Installation information

This security patch supports the following Setup switches:
  • /?: Show the list of installation switches.
  • /u: Use Unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /n: Do not back up files for removal.
  • /o: Overwrite OEM files without prompting.
  • /z: Do not restart when the installation is complete.
  • /q: Use Quiet mode (no user interaction).
  • /l: List the installed hotfixes.
  • /x: Extract the files without running Setup.
To verify that the security patch is installed on your computer, use the KB 824146 scanning tool (KB824146scan.exe) or use the Microsoft Baseline Security Analyzer (MBSA) tool.
For additional information about KB824146scan.exe, click the following article number to view the article in the Microsoft Knowledge Base:
827363 How to use the KB 824146 Scanning tool to identify host computers that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed

For more information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available

Note MBSA Version 1.1.1 incorrectly reports that 824146 is not installed if the RTMQFE versions of the files for this security patch are used in your environment.

You may also be able to verify that this security patch is installed by confirming that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB824146

Deployment information

To install the security patch without any user intervention, use the following command line:
Windowsserver2003-kb824146-x86-enu /u /q
To install the security patch without forcing the computer to restart, use the following command line:
Windowsserver2003-kb824146-x86-enu /z
Note You can combine these switches into one command line.

For information about how to deploy this security patch with Microsoft Software Update Services, visit the following Microsoft Web site:

Restart requirement

You must restart your computer after you apply this security patch.

Removal information

To remove this update, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB824146$\Spuninst folder, and it supports the following Setup switches:
  • /?: Show the list of installation switches.
  • /u: Use unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /z: Do not restart when the installation is complete.
  • /q: Use Quiet mode (no user interaction).

Security patch replacement information

This security patch replaces MS03-026 (823980).
For additional information about MS03-026 (823980), click the following article number to view the article in the Microsoft Knowledge Base:
823980 MS03-026: Buffer overrun in RPC may allow code execution

File information

The English version of this has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.


Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition, and Windows Server 2003, Datacenter Edition:

Date Time Version Size File name Folder
--------------------------------------------------------------
23-Aug-2003 18:56 5.2.3790.80 1,183,744 Ole32.dll RTMGDR
23-Aug-2003 18:56 5.2.3790.76 657,920 Rpcrt4.dll RTMGDR
23-Aug-2003 18:56 5.2.3790.80 284,672 Rpcss.dll RTMGDR
23-Aug-2003 18:48 5.2.3790.80 1,183,744 Ole32.dll RTMQFE
23-Aug-2003 18:48 5.2.3790.76 658,432 Rpcrt4.dll RTMQFE
23-Aug-2003 18:48 5.2.3790.80 285,184 Rpcss.dll RTMQFE
Windows Server 2003, 64-Bit Enterprise Edition and Windows Server 2003, 64-Bit Datacenter Edition:

Date Time Version Size File name Platform Folder
-------------------------------------------------------------------------
23-Aug-2003 18:56 5.2.3790.80 3,551,744 Ole32.dll IA64 RTMGDR
23-Aug-2003 18:56 5.2.3790.76 2,127,872 Rpcrt4.dll IA64 RTMGDR
23-Aug-2003 18:56 5.2.3790.80 665,600 Rpcss.dll IA64 RTMGDR
23-Aug-2003 18:56 5.2.3790.80 1,183,744 Wole32.dll x86 RTMGDR
23-Aug-2003 18:56 5.2.3790.76 539,648 Wrpcrt4.dll x86 RTMGDR
23-Aug-2003 18:48 5.2.3790.80 3,551,232 Ole32.dll IA64 RTMQFE
23-Aug-2003 18:48 5.2.3790.76 2,128,384 Rpcrt4.dll IA64 RTMGDR
23-Aug-2003 18:48 5.2.3790.80 666,624 Rpcss.dll IA64 RTMGDR
23-Aug-2003 18:48 5.2.3790.80 1,183,744 Wole32.dll x86 RTMGDR
23-Aug-2003 18:48 5.2.3790.76 539,648 Wrpcrt4.dll x86 RTMGDR
Note When you install this security patch on a Windows Server 2003-based computer or on a Windows XP 64-Bit Edition Version 2003-based computer, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

824994 Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages

You may also be able to verify the files that this security patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB824146\Filelist
Note This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824146 security patch into the Windows installation source files.

Windows XP (all versions)

To resolve this problem, obtain the latest service pack for Windows XP. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
811113 List of fixes included in Windows XP Service Pack 2

Download information

The following files are available for download from the Microsoft Download Center:


Windows XP Home Edition, Windows XP Professional, Windows XP Tablet PC Edition, and Windows XP Media Center EditionWindows XP 64-Bit Edition Version 2002Windows XP 64-Bit Edition Version 2003Note For Windows XP 64-Bit Edition, Version 2003, this security patch is the same as the security patch for 64-bit versions of Windows Server 2003.
Release Date: September 10, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

This security patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to Obtain the Latest Windows XP Service Pack
Installation information
This security patch supports the following Setup switches:
  • /?: Show the list of installation switches.
  • /u: Use Unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /n: Do not back up files for removal.
  • /o: Overwrite OEM files without prompting.
  • /z: Do not restart when the installation is complete.
  • /q: Use Quiet mode (no user interaction).
  • /l: List the installed hotfixes.
  • /x: Extract the files without running Setup.
To verify that the security patch is installed on your computer, use the KB 824146 scanning tool (KB824146scan.exe) or use the Microsoft Baseline Security Analyzer (MBSA) tool.
For additional information about KB824146scan.exe, click the following article number to view the article in the Microsoft Knowledge Base:
827363 How to use the KB 824146 Scanning tool to identify host computers that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed

For more information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available

Note MBSA Version 1.1.1 incorrectly reports that 824146 is not installed if the RTMQFE versions of the files for this security patch are used on a computer that is running Windows XP 64-Bit Edition, Version 2003.

You may also be able to verify that the security patch is installed on your computer by confirming that the following registry key exists:

Windows XP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824146
Windows XP with Service Pack 1 (SP1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB824146
Windows XP 64-Bit Edition Version 2003
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB824146

Deployment Information

To install the security patch without any user intervention, use the following command line:
Windowsxp-kb824146-x86-enu /u /q
To install the security patch without forcing the computer to restart, use the following command line:
Windowsxp-kb824146-x86-enu /z
Note You can combine these switches into one command line.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

Restart requirement

You must restart your computer after you apply this security patch.

Removal information

To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB824146$\Spuninst folder, and it supports the following Setup switches:
  • /?: Show the list of installation switches.
  • /u: Use unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /z: Do not restart when the installation is complete.
  • /q: Use Quiet mode (no user interaction).

Security patch replacement information

This security patch replaces MS03-026 (823980).
For additional information about MS03-026 (823980), click the following article number to view the article in the Microsoft Knowledge Base:
823980 MS03-026: Buffer overrun in RPC may allow code execution

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.


Windows XP Home Edition, Windows XP Professional, Windows XP Tablet PC Edition, and Windows XP Media Center Edition:

Date Time Version Size File name
-------------------------------------------------------------------
25-Aug-2003 22:29 5.1.2600.118 1,093,632 Ole32.dll (pre-SP1)
25-Aug-2003 22:29 5.1.2600.109 439,296 Rpcrt4.dll (pre-SP1)
25-Aug-2003 22:29 5.1.2600.118 204,288 Rpcss.dll (pre-SP1)
25-Aug-2003 18:53 5.1.2600.1263 1,172,992 Ole32.dll (with SP1)
25-Aug-2003 18:53 5.1.2600.1254 532,480 Rpcrt4.dll (with SP1)
25-Aug-2003 18:53 5.1.2600.1263 260,608 Rpcss.dll (with SP1)
Windows XP 64-Bit Edition Version 2002:

Date Time Version Size File name Platform
--------------------------------------------------------------------------
25-Aug-2003 19:30 5.1.2600.118 4,195,840 Ole32.dll IA64 (pre-SP1)
25-Aug-2003 19:30 5.1.2600.109 2,025,472 Rpcrt4.dll IA64 (pre-SP1)
25-Aug-2003 19:30 5.1.2600.118 741,888 Rpcss.dll IA64 (pre-SP1)
20-Aug-2003 18:16 5.1.2600.118 1,093,632 Wole32.dll x86 (pre-SP1)
02-Jan-2003 23:06 5.1.2600.109 440,320 Wrpcrt4.dll x86 (pre-SP1)
27-Aug-2003 18:12 5.1.2600.1263 4,296,192 Ole32.dll IA64 (with SP1)
27-Aug-2003 18:12 5.1.2600.1254 2,298,880 Rpcrt4.dll IA64 (with SP1)
27-Aug-2003 18:12 5.1.2600.1263 742,400 Rpcss.dll IA64 (with SP1)
27-Aug-2003 17:27 5.1.2600.1263 1,172,992 Wole32.dll x86 (with SP1)
02-Aug-2003 22:14 5.1.2600.1254 506,880 Wrpcrt4.dll x86 (with SP1)
Windows XP 64-Bit Edition Version 2003:

Date Time Version Size File name Platform Folder
-------------------------------------------------------------------------
23-Aug-2003 18:56 5.2.3790.80 3,551,744 Ole32.dll IA64 RTMGDR
23-Aug-2003 18:56 5.2.3790.76 2,127,872 Rpcrt4.dll IA64 RTMGDR
23-Aug-2003 18:56 5.2.3790.80 665,600 Rpcss.dll IA64 RTMGDR
23-Aug-2003 18:56 5.2.3790.80 1,183,744 Wole32.dll x86 RTMGDR
23-Aug-2003 18:56 5.2.3790.76 539,648 Wrpcrt4.dll x86 RTMGDR
23-Aug-2003 18:48 5.2.3790.80 3,551,232 Ole32.dll IA64 RTMQFE
23-Aug-2003 18:48 5.2.3790.76 2,128,384 Rpcrt4.dll IA64 RTMGDR
23-Aug-2003 18:48 5.2.3790.80 666,624 Rpcss.dll IA64 RTMGDR
23-Aug-2003 18:48 5.2.3790.80 1,183,744 Wole32.dll x86 RTMGDR
23-Aug-2003 18:48 5.2.3790.76 539,648 Wrpcrt4.dll x86 RTMGDR
Notes
  • When you install the Windows XP 64-Bit Edition Version 2003 security patch, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer.
    For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    824994 Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages

  • The Windows XP and Windows XP 64-Bit Edition Version 2002 versions of this security patch are packaged as dual-mode packages. Dual-mode packages contain files for both the original version of Windows XP and Windows XP Service Pack 1 (SP1).
    For additional information about dual-mode packages, click the following article number to view the article in the Microsoft Knowledge Base:
    328848 Description of dual-mode update packages for Windows XP

You may also be able to verify the files that this security patch installed by reviewing the following registry keys:

For Windows XP Home Edition SP1; Windows XP Professional SP1; Windows XP 64-Bit Edition, Version 2002 SP1; Windows XP Tablet PC Edition; Windows XP Media Center Edition:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB824146\Filelist
For Windows XP Home Edition; Windows XP Professional; Windows XP 64-Bit Edition, Version 2002:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824146\Filelist
For Windows XP 64-Bit Edition, Version 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB824146\Filelist
Note This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824146 security patch into the Windows installation source files.
To resolve this problem, obtain Update Rollup 1 for Windows 2000 SP4. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
891861 Update Rollup 1 for Windows 2000 SP4 and known issues

Windows 2000

Download information

The following file is available for download from the Microsoft Download Center:

Release Date: September 10, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.


Prerequisites

For Windows 2000 Datacenter Server, this security patch requires Service Pack 3 (SP3). For other versions of Windows 2000, this security patch requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).


Note Windows 2000 Service Pack 2 has reached the end its life cycle as previously documented, and Microsoft does not typically provide generally available security patches for this product. However, because of the nature of this vulnerability, because the end-of-life occurred very recently, and because many customers are currently running Windows 2000 Service Pack 2, Microsoft has decided to make an exception for this vulnerability.

Microsoft does not anticipate doing this for future vulnerabilities, but reserves the right to produce and make available security patches when they are necessary. Microsoft urges customers with existing Windows 2000 Service Pack 2-based computers to migrate those computers to supported Windows versions to prevent exposure to future vulnerabilities. For information about the Windows desktop product life cycle, visit the following Microsoft Web site: For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack

Installation information

This security patch supports the following Setup switches:
  • /?: Show the list of installation switches.
  • /u: Use Unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /n: Do not back up files for removal.
  • /o: Overwrite OEM files without prompting.
  • /z: Do not restart when the installation is complete.
  • /q: Use Quiet mode (no user interaction).
  • /l: List the installed hotfixes.
  • /x: Extract the files without running Setup.
To verify that the security patch is installed on your computer, use the KB 824146 scanning tool (KB824146scan.exe) or the Microsoft Baseline Security Analyzer (MBSA) tool.
For additional information about KB824146scan.exe, click the following article number to view the article in the Microsoft Knowledge Base:
827363 How to use the KB 824146 Scanning tool to identify host computers that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed

For more information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available

You may also be able to verify that the security patch is installed on your computer by confirming that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB824146

Deployment information

To install the security patch without any user intervention, use the following command line:
Windows2000-kb824146-x86-enu /u /q
To install the security patch without forcing the computer to restart, use the following command line:
Windows2000-kb824146-x86-enu /z
Note You can combine these switches into one command line.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

Restart requirement

You must restart your computer after you apply this security patch.

Removal information

To remove this security patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB824146$\Spuninst folder, and it supports the following Setup switches:
  • /?: Show the list of installation switches.
  • /u: Use unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /z: Do not restart when the installation is complete.
  • /q: Use Quiet mode (no user interaction).

Security patch replacement information

This security patch replaces MS03-026 (823980).
For additional information about MS03-026 (823980), click the following article number to view the article in the Microsoft Knowledge Base:
823980 MS03-026: Buffer overrun in RPC may allow code execution

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Date Time Version Size File name
------------------------------------------------------
23-Aug-2003 18:48 5.0.2195.6810 945,936 Ole32.dll
23-Aug-2003 18:48 5.0.2195.6802 432,912 Rpcrt4.dll
23-Aug-2003 18:48 5.0.2195.6810 192,272 Rpcss.dll
You may also be able to verify the files that this security patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB824146\Filelist
Note This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824146 security patch into the Windows installation source files.

Windows NT 4.0 (all versions)

Download information

The following files are available for download from the Microsoft Download Center:


Windows NT Workstation 4.0 Windows NT Server 4.0 Windows NT Server 4.0, Terminal Server Edition Release Date: September 10, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

This security patch requires Windows NT Server 4.0 Service Pack 6a (SP6a), Windows NT Workstation 4.0 Service Pack 6a (SP6a), or Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 (SP6).

Note Windows NT Workstation 4.0 has reached the end its life cycle as previously documented, and Microsoft does not typically provide generally available security patches for this product. However, because of the nature of this vulnerability, because the end-of-life occurred very recently, and because many customers are currently running Windows NT Workstation 4.0, Microsoft has decided to make an exception for this vulnerability.

Microsoft does not anticipate doing this for future vulnerabilities, but reserves the right to produce and make available security patches when they are necessary. Microsoft urges customers with existing Windows NT Workstation 4.0-based computers to migrate those computers to supported Windows versions to prevent exposure to future vulnerabilities. For information about the Windows desktop product life cycle, visit the following Microsoft Web site: For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
152734 How to obtain the latest Windows NT 4.0 service pack

Installation information

This security patch supports the following Setup switches:
  • /y: Perform removal (only with /m or /q ).
  • /f: Force programs to quit during the shutdown process.
  • /n: Do not create an Uninstall folder.
  • /z: Do not restart when the update completes.
  • /q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
  • /m: Use Unattended mode with a user interface.
  • /l: List the installed hotfixes.
  • /x: Extract the files without running Setup.
To verify that the security patch is installed on your computer, use the KB 824146 scanning tool (KB824146scan.exe) or the Microsoft Baseline Security Analyzer (MBSA) tool.
For additional information about KB824146scan.exe, click the following article number to view the article in the Microsoft Knowledge Base:
827363 How to use the KB 824146 Scanning tool to identify host computers that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed

For more information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available

You may also be able to verify that the security patch is installed on your computer by confirming that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB824146

Deployment information

To install the security patch without any user intervention, use the following command line:
Windowsnt4server-kb824146-x86-enu /q
To install the security patch without forcing the computer to restart, use the following command line:
Windowsnt4server-kb824146-x86-enu /z
Note You can combine these switches into one command line.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

Restart requirement

You must restart your computer after you apply this security patch.

Removal information

To remove this security patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Hotfix.exe utility to remove this security patch. The Hotfix.exe utility is located in the %Windir%\$NTUninstallKB824146$ folder. The utility supports the following Setup switches:
  • /y: Perform removal (only with the /m or /q switch).
  • /f: Force programs to quit during the shutdown process.
  • /n: Do not create an Uninstall folder.
  • /z: Do not restart when the installation is complete.
  • /q: Use Quiet or Unattended mode with no user interface (this switch is a superset of the /m switch).
  • /m: Use Unattended mode with a user interface.
  • /l: List the installed hotfixes.

Security patch replacement information

This security patch replaces MS03-026 (823980).
For additional information about MS03-026 (823980), click the following article number to view the article in the Microsoft Knowledge Base:
823980 MS03-026: Buffer overrun in RPC may allow code execution

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.


Windows NT Server 4.0:

Date Time Version Size File name
------------------------------------------------------
11-Aug-2003 11:29 4.0.1381.7230 701,200 Ole32.dll
11-Aug-2003 11:29 4.0.1381.7230 345,872 Rpcrt4.dll
11-Aug-2003 11:29 4.0.1381.7230 107,792 Rpcss.exe
Windows NT Server 4.0, Terminal Server Edition:

Date Time Version Size File name
-------------------------------------------------------
11-Aug-2003 12:30 4.0.1381.33551 701,712 Ole32.dll
11-Aug-2003 12:14 4.0.1381.33551 345,360 Rpcrt4.dll
11-Aug-2003 12:30 4.0.1381.33551 109,328 Rpcss.exe
Windows NT Workstation 4.0:

Date Time Version Size File name
------------------------------------------------------
11-Aug-2003 11:29 4.0.1381.7230 701,200 Ole32.dll
11-Aug-2003 11:29 4.0.1381.7230 345,872 Rpcrt4.dll
11-Aug-2003 11:29 4.0.1381.7230 107,792 Rpcss.exe
You may also be able to verify the files that this security patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB824146\File 1
Note This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824146 security patch into the Windows installation source files.

↑ Back to the top


Workaround

Although Microsoft urges all customers to apply the security patch at the earliest possible opportunity, there are some workarounds that you can use to help prevent the vector that is used to exploit this vulnerability in the interim. There is no guarantee that these workarounds will block all possible attack vectors.

Note These workarounds are temporary measures because they only help to block paths of attack instead of correcting the underlying vulnerability.
  • Block UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593 at your firewall. Also disable COM Internet Services (CIS) and RPC over HTTP. CIS and RPC over HTTP listen on ports 80 and 443 on the affected computers.

    These ports are used to initiate an RPC connection with a remote computer. Blocking them at the firewall helps to prevent computers that are located behind the firewall from being attacked by attempts to exploit these vulnerabilities. Also block any other specifically configured RPC port on the remote computer.

    If they are enabled, CIS and RPC over HTTP allow DCOM calls to operate over TCP port 80 (and port 443 on Windows XP and Windows Server 2003). Make sure that CIS and RPC over HTTP are disabled on all the affected computers.
    For additional information about how to disable CIS, click the following article number to view the article in the Microsoft Knowledge Base:
    825819 How to remove COM Internet Services (CIS) and RPC over HTTP proxy support

    For additional information about RPC over HTTP, visit the following Microsoft Web site:
  • Use Internet Connection Firewall (ICF), and disable COM Internet Services (CIS) and RPC over HTTP. CIS and RPC over HTTP listen on ports 80 and 443 on the affected computers.

    If you are using the ICF feature in Windows XP or in Windows Server 2003 to help to protect your Internet connection, ICF blocks inbound RPC traffic from the Internet by default.

    Note ICF is available in Windows XP, Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition. Basic Firewall is a component of Routing and Remote Access that you can enable for any public interface on a computer that is running Routing and Remote Access and that is a member of the Windows Server 2003 family.

    Make sure that CIS and RPC over HTTP are disabled on all affected computers. For additional information about how to disable CIS, click the following article number to view the article in the Microsoft Knowledge Base:
    825819 How to remove COM Internet Services (CIS) and RPC over HTTP proxy support

    For additional information about RPC over HTTP, visit the following Microsoft Web site:
  • Block the affected ports by using an Internet protocol security (IPSec) filter, and disable COM Internet Services (CIS) and RPC over HTTP. CIS and RPC over HTTP listen on ports 80 and 443 on the affected computers.

    You can help to enhance the security of network communications on Windows 2000-based computers if you use IPSec.
    For additional information about IPSec and about how to use IP filter lists in Windows 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base:
    313190 How to use IPSec IP filter lists in Windows 2000

    813878 How to block specific network protocols and ports by using IPSec

    Make sure that CIS and RPC over HTTP are disabled on all affected computers.
    For additional information about how to disable CIS, click the following article number to view the article in the Microsoft Knowledge Base:
    825819 How to remove COM Internet Services (CIS) and RPC over HTTP proxy support

    For additional information about RPC over HTTP, visit the following Microsoft Web site:
  • Disable DCOM on all affected computers. When a computer is part of a network, the DCOM wire protocol permits COM objects on that computer to communicate with COM objects on other computers.

    You can disable DCOM for a computer to help to protect against this vulnerability, but doing so disables all communication between objects on that computer and objects on other computers. If you disable DCOM on a remote computer, you cannot remotely access that computer to enable DCOM again. To enable DCOM again, you must have physical access to that computer.
    For additional information about how to disable DCOM, click the following article number to view the article in the Microsoft Knowledge Base:
    825750 How to disable DCOM support in Windows

    Note For Windows 2000, the methods that Microsoft Knowledge Base article 825750 describes work only on computers that are running Service Pack 3 or later. Customers who are using Service Pack 2 or earlier must upgrade to a later service pack or use another workaround.

↑ Back to the top


Status

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.
This problem was first corrected in Windows 2000 Service Pack 4.

↑ Back to the top


More Information

For more information about this vulnerability, visit the following Microsoft Web site: For more information about helping to secure RPC for clients and servers, visit the following Microsoft Web site: For more information about the ports that are used by RPC, visit the following Microsoft Web site:

↑ Back to the top


Keywords: kbhotfixserver, kbwinxppresp2fix, kbwinserv2003presp1fix, kbwin2000presp5fix, kbfix, kbbug, kbsecvulnerability, kbsecbulletin, kbsecurity, kbqfe, kb, kbwinnt400presp7fix

↑ Back to the top

Article Info
Article ID : 824146
Revision : 9
Created on : 4/13/2020
Published on : 4/13/2020
Exists online : False
Views : 882