Explains why my laptop ishacked with Windows NT

http://en.m.wikipedia.org/wiki/Windows_NT_4.0

Microsoft Security Bulletin MS03-010

Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)

Originally posted: March 26, 2003Updated: May 13, 2003

Summary

Who should read this bulletin:Customers using Microsoft® Windows® NT 4.0, Windows 2000, or Windows XPImpact of vulnerability:Denial of ServiceMaximum Severity Rating:ImportantRecommendation:Customers should install the patch at the earliest opportunityAffected Software:Microsoft Windows NT 4Microsoft Windows 2000Microsoft Windows XPTop of section

General Information

Technical details

Technical description:Note:Application of this security patch has been reported to, in some specific configurations, cause local COM calls to stop responding. This problem occurs only when several local RPC calls are made quickly from multiple threads, and each thread has a unique set of security credentials. A supported fix is now available from Microsoft. For additional information on this, and details of obtaining a fix, please see Microsoft Knowledge Base Article 814119.Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the OSF (Open Software Foundation) RPC protocol, but with the addition of some Microsoft specific extensions.There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerabilty affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service.To exploit this vulnerability, an attacker would need to establish a TCP/IP connection to the Endpoint Mapper process on a remote machine. Once the connection was established, the attacker would begin the RPC connection negotiation before transmitting a malformed message. At this point, the process on the remote machine would fail. The RPC Endpoint Mapper process is responsible for maintaining the connection information for all of the processes on that machine using RPC. Because the Endpoint Mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions.Microsoft has provided patches with this bulletin to correct this vulnerability for Windows 2000 and Windows XP. Although Windows NT 4.0 is affected by this vulnerability, Microsoft is unable to provide a patch for this vulnerability for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability. Windows NT 4.0 users are strongly encouraged to employ the workaround discussed in the FAQ below, which is to protect the NT 4.0 system with a firewall that blocks Port 135.Mitigating factors:To exploit this vulnerability, the attacker would require the ability to connect to the Endpoint Mapper running on the target machine. For intranet environments, the Endpoint Mapper would normally be accessible, but for Internet connected machines, the port used by the Endpoint Mapper would normally be blocked by a firewall. In the case where this port is not blocked, or in an intranet configuration, the attacker would not require any additional privileges.Best practices recommend blocking all TCP/IP ports that are not actually being used. For this reason, most machines attached to the Internet should have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the internet. More robust protocols such as RPC over HTTP are provided for hostile environments. To learn more about securing RPC for client and server please refer to http://msdn2.microsoft.com/en-us/library/Aa379441. To learn more about the ports used by RPC, please refer to http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfc_por_simw.mspx?mfr=trueThis vulnerability only permits a denial of service attack and does not provide an attacker with the ability to modify or retrieve data on the remote machine.Severity Rating:Windows NT 4.0ImportantWindows NT 4.0, Terminal Server EditionImportantWindows 2000ImportantWindows XPImportantThe above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.Vulnerability identifier: CAN-2002-1561 Tested Versions:Microsoft tested Windows NT 4.0, Windows 2000 and Windows XP to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

If Windows NT 4.0 is listed as an affected product, why is Microsoft not issuing a patch for it?During the development of Windows 2000, significant enhancements were made to the underlying architecture of RPC. In some areas these changes involved making fundamental changes to the way the RPC server software was built. The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a rearchitecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system. Microsoft strongly recommends that customers still using Windows NT 4.0 protect those systems by placing them behind a firewall which is filtering traffic on Port 135. Such a firewall will block attacks attempting to exploit this vulnerability, as discussed in the workarounds section below.Will Microsoft issue a patch for Windows NT 4.0 sometime in the future?Microsoft has extensively investigated an engineering solution for NT 4.0 and found that the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future.What's the scope of this vulnerability? This is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause a remote computer to fail. However, the attacker could not modify or retrieve data or execute code of his or her choice on the remote machine. To carry out such an attack, an attacker would require the ability to make a TCP/IP connection to the Endpoint Mapper running on the target machine. Once a TCP connection had been made, the attacker could send a malformed message to the RPC service and thereby cause the target machine to fail. The best defense against remote RPC attacks from the Internet is to configure the firewall to block port 135. RPC over TCP is not intended to be used across hostile environments such as the InternetWhat causes the vulnerability?The vulnerability results because the Windows RPC Endpoint Mapper does not properly check message inputs under certain circumstances. If an attacker were to send a certain type of malformed RPC message after RPC established a connection, that could cause the RPC Endpoint Mapper process on the remote machine to fail. This process is responsible for maintaining the connection information of all the processes on that machine using RPC. Because the endpoint mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service itself to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions.What is RPC (Remote Procedure Call)?Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server.What is the RPC endpoint mapper?The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. An endpoint is a protocol port or named pipe on which the server application listens to for client remote procedure calls. Client/server applications can use either well-known or dynamic ports.What's wrong with Microsoft's implementation of Remote Procedure Call (RPC)?There is a flaw in the part of RPC that deals with message exchange over TCP/IP. A failure results because of incorrect handling of malformed messages. This particular failure affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC Endpoint Mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. By sending a malformed RPC message, an attacker could the RPC service on a machine to fail.What could this vulnerability enable an attacker to do?This vulnerability could enable an attacker who could send RPC messages to the RPC Endpoint Mapper process on a server to launch a denial of service attack. Even though an attacker could cause machines to fail, it would not be possible to modifiy or retrieve data or execute code.How could an attacker exploit this vulnerability?An attacker could seek to exploit this vulnerability by programming a machine that could communicate with a vulnerable server over TCP port 135 to send a specific kind of malformed RPC message. Receipt of such a message could cause the RPC service on the vulnerable machine to fail.What does the patch do?The patch eliminates the vulnerability by correctly verifying the format of messages that are received via TCP/IP. This verification permits the RPC Endpoint Mapper to reject malformed messages.WorkaroundsI'm unable to install the patch for this vulnerability immediately. Is there anything I can do to protect myself from attempts to exploit this vulnerability?Microsoft recommends the following workarounds:BlockPort 135 at your firewall. Port 135 is used to initiate an RPC connection with the RPC Endpoint Mapper service. Blocking Port 135 at the firewall will prevent systems behind that firewall from being attacked by attempts to exploit this vulnerability. However to ensure that those systems cannot be attacked by systems behind the firewall, you should still consider applying the patch.Internet Connection Firewall. If you are using the Internet Connection Firewall in Windows XP to protect your Internet connection, it will by default block inbound RPC traffic.

Patch availability

Download locations for this patchMicrosoft Windows 2000All except Japanese NECJapanese NECWindows XP32-bit Edition64-bit edition

Additional information about this patch

Installation platforms:The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3The patch for Windows XP can be installed on systems running Windows XP Gold or Service Pack 1.Inclusion in future service packs:The fix for this issue will be included in Service pack 4 for Windows 2000 and Service pack 2 for Windows XPReboot needed: YesPatch can be uninstalled: yesSuperseded patches: None.Verifying patch installation:Windows 2000:To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\ Q331953To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\ Q331953\Filelist.Windows XP:If installed on Windows XP Gold:To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q331953.To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\ Q331953\Filelist.If installed on Windows XP Service Pack 1:To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q331953.To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q331953\Filelist.Caveats:Microsoft tested Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition. These platforms are vulnerable to the denial of service attack however due to architectural limitations it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability.Application of this security patch has been reported to, in some specific configurations, cause local COM calls to stop responding. This problem occurs only when several local RPC calls are made quickly from multiple threads, and each thread has a unique set of security credentials. A supported fix is now available from Microsoft. For additional information on this, and details of obtaining a fix, please see Microsoft Knowledge Base Article 814119.Localization:Localized versions of this patch are available at the locations discussed in "Patch Availability".Obtaining other security patches:Patches for other security issues are available from the following locations:Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

AcknowledgmentsMicrosoft thanks  jussi jaakonaho for reporting this issue to us and working with us to protect customers.Support:Microsoft Knowledge Base article 331953 discusses this issue. Knowledge Base articles can be found on the Microsoft Online Support web site.Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.Disclaimer:The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.Revisions:V1.0 (March 26, 2003): Bulletin Created.V1.1 (May 13, 2003): Bulletin updated to include information and link to Microsoft Knowledge Base Article 814119, for customers experiencing technical problems after installing this patch.Top of sectionTop of page


Windows NT 4.0

Windows NT 4.0Part of the Microsoft Windows familyScreenshot of Windows NT 4.0DeveloperMicrosoftWebsitehttp://www.microsoft.com/ntworkstation/default.asp(Defunct)ReleasesInitial release24 August 1996; 17 years ago[info]Latest stablerelease4.0 SP6a (Build 1381) (26 July 2001; 12 years ago) [info]Source modelClosed sourceLicenseCommercial proprietary softwareKernel typeHybridPlatform supportIA-32, Alpha, MIPS, PowerPCPreceded byWindows NT 3.51 (1995)Succeeded byWindows 2000 (2000)Support statusUnsupported as of 30 June 2004 for Windows NT 4.0 Workstation[1] and 31 December 2004 for Windows NT 4.0 Server[2]Windows NT 4.0 is a preemptive,[3] graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. It was part of Microsoft'sWindows NT line of operating systems and was released to manufacturing on 31 July 1996.[4] It is a32-bit Windows system available in both workstation and server editions with a graphical environment similar to that of Windows 95.

OverviewEdit

The successor to Windows NT 3.51, Windows NT 4.0 introduced the modern user interface ofWindows 95 to the Windows NT product line, including the Windows Shell, Windows Explorer(known as Windows NT Explorer), and the use of "My" nomenclature (e.g. My Computer). It also includes most applications introduced withWindows 95. Internally, Windows NT 4.0 was known as the Shell Update Release (SUR).[5] Various administrative tools, notably User Manager for Domains, Server Manager and Domain Name Service Manager have improved graphical user interfaces. The Start Menu in Windows NT 4.0 separated the per-user shortcuts and folders from the All users shortcuts and folders by a separator line.[6] Windows NT 4.0 includes some enhancements from Microsoft Plus! for Windows 95such as the 3D Pinball game, font smoothing, full window drag, high color icons and stretching the wallpaper to fit the screen. Windows Desktop Update could also be installed on Windows NT 4.0 to update the shell version and install Task Scheduler.[7] The Windows NT 4.0 Resource Kit included the Desktop Themes utility.[8]Windows NT 4.0 is the last major release of Microsoft Windows to support the Alpha, MIPS orPowerPC CPU architectures. It remained in use by businesses for a number of years, despite Microsoft's many efforts to get customers to upgrade to Windows 2000 and newer versions. It was also the last release in the Windows NT line to be branded as Windows NT.

FeaturesEdit

Windows NT 4.0 Server editionAlthough the chief enhancement has been the addition of the Windows 95 shell, there are several major performance, scalability and feature improvements to the core architecture, kernel,USER32, COM and MSRPC.[5][9] Windows NT 4.0 also introduced the concept of System Policies [10] and the System Policy Editor.Other important features included with this release were the Crypto API,[5] Telephony API 2.0 with limited Unimodem support,[11] which was the first release of TAPI on Windows NT, DCOM and new OLEfeatures,[12] and Microsoft Transaction Server for network applications, Microsoft Message Queuing(MSMQ), which improved interprocess communication, Winsock 2 and the TCP/IP stack improvements, and file system defragmentation support.[13]The server editions of Windows NT 4.0 includeInternet Information Services 2.0, Microsoft FrontPage 1.1, NetShow Services, Remote Access Service (which includes a PPTP server for VPN functionality) and Multi-Protocol Routing service. There are new administrative wizards and a lite version of the Network Monitor utility shipped withSystem Management Server. The Enterprise edition introduced Microsoft Cluster Server.One significant difference from previous versions of Windows NT is that the Graphics Device Interface(GDI) is moved into kernel mode[14] rather than being in user mode in the CSRSS process. This eliminated a process-to-process context switch in calling GDI functions, resulting in a significant performance improvement over Windows NT 3.51, particularly in the graphical user interface. This however also mandated that graphics and pri