Related Resources • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • MS Bulletin MS03-026 • Waiting for the Worms

The vulnerability affecting Microsoft operating systems had many security experts nervously forecasting a worm exploiting the flaw and prompted the U.S. Department of Homeland Security to issue an alert in which the department noted its concern "that a properly written exploit could rapidly spread on the Internet as a worm or virus in a fashion similar to Code Red or Slammer." Within a week of this alert, the MSBlast a.k.a. Lovsan worm rapidly began infecting users via the flaw.

The threat revolves around a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface that is subject to a buffer overrun condition. If exploited, attackers could gain remote access to systems and run malicious code with local user privileges. The component, and thus the flaw, exists in all default versions of Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0. The flaw does not exist in Windows ME.

Microsoft issued Security Bulletin MS03-026 addressing the buffer overrun condition as critical and providing the necessary patch. However, at least one report to NTBugtraq contests the efficiency of the patch, stating that Denial of Service (DoS) attacks are still possible even on patched systems. Others report a reluctance to apply the patch to vulnerable XP systems, as doing so requires installation of Service Pack 1, a mix of regulatory fixes and security patches that for many became a nightmare. PC world reported on the problems presented by SP1 encountered by some users, with issues ranging from sluggish systems to an inability to bootup the system.

Home users who do not routinely apply security patches, users unable to apply the security patch for compatibility reasons, systems operating without firewall protection, and mobile laptop users may pose the largest risk. For example, an unprotected laptop could become infected and when subsequently reintroduced to the corporate network (thus bypassing the safety mechanism of the corporate firewall) allow the code access to the network.

At a minimum, any system with access to the Internet should be protected by a firewall. Home users can obtain free firewall protection from ZoneAlarm, which protects against both unitiated inbound connection attempts and unauthorized outbound connection attempts. Some antivirus products also include firewall protection - Panda Antivirus Platinum is a top pick for virus protection and comes with both firewall protection and email/script filtering.

Firewall effectiveness can be double-checked via GRC.com's free ShieldsUp! test to determine whether vulnerable ports are exposed. Ports pertinent to this vulnerability by default are TCP/UDP Port 135, TCP/UDP Port 139, and TCP/UDP Port 445. However, other ports may also have been invoked by services or protocols that use RPC. If the ShieldsUp! test indicates that any ports are left exposed on the Internet, either block those ports at the firewall or switch to a firewall that automatically denies all uninitiated inbound connection attempts.

An additional layer of security can be achieved by disabling DCOM. This may be particularly effective for home users, who are not typically part of a network and thus unlikely to require remote access to other computers or needing to have their computer remotely accessed.