Critical Vulnerability: MS05-051 (902400)

FNAL Critical Vulnerability
Platform: Microsoft Windows 2000, Windows XP, Windows 2003
Exploitation: Remote from anonymous user (Windows 2000), Remote from authenticated user (others)
Service: MSDTC, TIP
Patch By: 10/14/2005

The MSDTC (MS Distributed Transaction Coordinator) vulnerability addressed in this patch set can be remotely exploited by an anonymous user on Windows 2000 platforms. No info is available on exploitation method for Windows XP SP0, but one should assume it is the same as Windows 2000. XP SP1 does not have the service started by default, but one can start the service, and W2K3 Server has the service started, but does not accept network connections to the service unless configured to do so. Both XP SP1 and W2K3 require authenticated access to exploit.

There are also vulnerabilities in the TIP services resulting in a denial of service (if running). One of the vulnerabilities can be used to create a denial of service against other network nodes through a vulnerable host.

Because of the anonymous access exploitation avenue for the MSDTC vulnerability, and a working exploit available for the MSDTC vulnerability, all Windows systems must be patched by the end of Friday, 10/14/2005.

You may notice a trend with the latest Microsoft patches where anonymous access is available against Windows 2000, but authenticated access is required for XP SP1 and W2K3. This might be a good time to start thinking about upgrading those Windows 2000 installations (servers and workstations). Also, there are ways you can limit the authenticated user access setting via a logon over network group policy (info on doing so will be coming in the next few days). See your local Windows representative for more details on setting group policies if you are interested.

Patch information:
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

 

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006.
(Address comments about page to the Computer Security Team.)