Internet Security Systems Security Brief October 14, 2003 Microsoft RPC Race Condition Denial of Service Synopsis: ISS X-Force has discovered a flaw in the Microsoft RPC service during a routine audit that may allow remote attackers to trigger a Denial of Service (DoS) condition on vulnerable hosts. This vulnerability exists in the most current patch-levels of the Windows operating systems, including computers patched against the issues described in Microsoft Security Bulletin MS03-039. This vulnerability has been reported by various sources as a new exploit vector against the vulnerability disclosed in MS03-039. This assessment is incorrect. The vulnerability described in this Advisory manifests as a result of a separate multi-threaded race condition when processing incoming RPC requests. Impact: X-Force has demonstrated that a DoS vulnerability exists by exploiting the race condition. Attackers can take advantage of this vulnerability by crashing the Microsoft RPC service, and/or forcing vulnerable systems to reboot. X-Force has not demonstrated that this vulnerability can be used to execute arbitrary code or to compromise a vulnerable system. Significant barriers exist which may prevent reliable exploitation outside of controlled lab conditions. Affected Versions: Microsoft Windows 2000 Microsoft Windows XP For the complete ISS X-Force Security Advisory, please visit: http://xforce.iss.net/xforce/alerts/id/155 ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email xforce@iss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc.