Threat of the month: RPC hole

Share this article:

What is it?
The Server Service is a Windows remote procedure call (RPC) service that is crucial for Windows file-sharing networks over workgroups or domains. A vulnerability has been found allowing for remote attacks to take control of PCs via TCP ports 139 or 445.

How does it work?
The vulnerability exists in the Windows API call NetPathCanonicalize(), used by the Server Service. Insufficient bounds checking allows for maliciously formatted arguments to get placed in the API call, leading to a buffer overflow.

Should I be worried?
Yes. This is a serious vulnerability. The major mitigating factors are that personal firewalls are enabled by default for Windows XP SP2 and later machines, thwarting arbitrary access.

How can I prevent it?
Microsoft recommends installing the MS08-067 patch to address this issue while retaining full Windows functionality. In addition, firewalling TCP ports 139 and 445 from arbitrary network locations can prevent worms from attacking from the outside, and firewalls inside the network can be used to contain any worm outbreaks in enterprises. Updated AV tools can also be used to detect these worms on infected systems.

Share this article:

Sign up to our newsletters

More in Features

Case study: Big LAN on campus

Case study: Big LAN on campus

A university rolled out a wireless network, but was hampered with a user-support problem...until a solution was found. Greg Masters reports.

2014 Women in IT Security: Stacey Halota

2014 Women in IT Security: Stacey Halota

When she stepped into the job of vice president of information security and privacy at Graham Holdings Company in 2003, Stacey Halota had to carve out new territory because her ...

What's sex got to do with it?

What's sex got to do with it?

Harassment has no place in the security industry. Neither do sexism or discrimination. But, there they are. It's time for infosec to just say no, reports Teri Robinson.