November 2005
Microsoft Security Advisory Notification 911052 - Memory Allocation Denial of Service via RPC
ID: 01026
Ref: 693/2005
Date: 18 November 2005:12:53:06
Version: 1
Title: Microsoft Security Advisory Notification 911052 - Memory Allocation Denial of Service via RPC
Abstract:
Vendors affected: Microsoft
Operating systems affected: Microsoft
Applications affected: Microsoft
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0928 -- Microsoft Security Advisory Notification 911052
Memory Allocation Denial of Service via RPC
18 November 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Windows XP SP 1
Windows 2000 SP 4
Publisher: Microsoft
Impact: Denial of Service
Access: Remote/Unauthenticated
Original Bulletin: http://go.microsoft.com/fwlink/?LinkId=56473
- - --------------------------BEGIN INCLUDED TEXT--------------------
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: November 16, 2005
********************************************************************
Security Advisory Released Today
==============================================
* Issued: November 16, 2005C
- Web site: http://go.microsoft.com/fwlink/?LinkId=56473
- - From the Microsoft Website
==========================
Microsoft is aware of public reports of proof-of-concept code that seeks to
exploit a possible vulnerability in Microsoft Windows 2000 Service Pack 4 and
in Microsoft Windows XP Service Pack 1. This vulnerability could allow an
attacker to levy a denial of service attack of limited duration.
On Windows XP Service Pack 1, an attacker must have valid logon credentials
to try to exploit this vulnerability. The vulnerability could not be
exploited remotely by anonymous users. However, the affected component is
available remotely to users who have standard user accounts. Customers who
have installed Windows XP Service Pack 2 are not affected by this
vulnerability. Additionally, customers running Windows Server 2003 and
Windows Server 2003 Service Pack 1 are not affected by this vulnerability.
Microsoft is not aware of active attacks that use this vulnerability or of
customer impact at this time. However, Microsoft is actively monitoring this
situation to keep customers informed and to provide customer guidance as
necessary.
Microsoft is concerned that this new report of a vulnerability in Windows 2000
Service Pack 4 and Windows XP Service Pack 1 was not disclosed responsibly,
potentially putting computer users at risk. We continue to encourage
responsible disclosure of vulnerabilities. We believe the commonly accepted
practice of reporting vulnerabilities directly to a vendor serves everyone's
best interests. This practice helps to ensure that customers receive
comprehensive, high-quality updates for security vulnerabilities without
exposure to malicious attackers while the update is being developed.
We continue to encourage customers to follow our Protect Your PC guidance of
enabling a firewall, getting software updates, and installing antivirus
software Customers can learn more about these steps by visiting Protect
Your PC Web site.
Mitigating Factors
==================
On Windows XP Service Pack 1 an attacker must have valid logon credentials to
try to exploit this vulnerability. The vulnerability could not be exploited
remotely by anonymous users. However, the affected component is available
remotely to users who have standard user accounts. In certain configurations,
anonymous users could authenticate as the Guest account. For more information,
see Microsoft Security Advisory 906574.
Customers who are running Windows XP Service Pack 2, Windows Server 2003 and
Windows Server 2003 Service Pack 1 are not affected by this vulnerability.
Firewall best practices and standard default firewall configurations can help
protect networks from attacks that originate outside the enterprise perimeter.
Best practices recommend that systems that are connected to the Internet have
a minimal number of ports exposed.
Support:
========
Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131
International customers can get support from their local Microsoft
subsidiaries. Phone numbers for international support can be found
at: http://support.microsoft.com/common/international.aspx
Additional Resources:
=====================
* Microsoft has created a free monthly e-mail newsletter containing
valuable information to help you protect your network. This
newsletter provides practical security tips, topical security
guidance, useful resources and links, pointers to helpful
community resources, and a forum for you to provide feedback
and ask security-related questions.
You can sign up for the newsletter at:
http://www.microsoft.com/technet/security/secnews/default.mspx
* Microsoft has created a free e-mail notification service that
serves as a supplement to the Security Notification Service
(this e-mail). The Microsoft Security Notification Service:
Comprehensive Version. It provides timely notification of any
minor changes or revisions to previously released Microsoft
Security Bulletins and Security Advisories. This new service
provides notifications that are written for IT professionals and
contain technical information about the revisions to security
bulletins. To register visit the following Web site:
http://www.microsoft.com/technet/security/bulletin/notify.mspx
* Protect your PC: Microsoft has provided information on how you
can help protect your PC at the following locations:
http://www.microsoft.com/security/protect/
If you receive an e-mail that claims to be distributing a
Microsoft security update, it is a hoax that may be distributing a
virus. Microsoft does not distribute security updates through
e-mail. You can learn more about Microsoft's software distribution
policies here:
http://www.microsoft.com/technet/security/topics/policy/swdist.mspx
********************************************************************
THE INFORMATION PROVIDED IN THE THIS EMAIL IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************
- - --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
- -----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQ30c8ih9+71yA2DNAQJcZgP+NnXuZtjRX3Peb4I4rrAb9s8tPmPhCRdN
FQEfqvbwsC+xMBt+FiLaYWs7DA47VMZIpyS8bgtuK5jnFNMnxKVRS3LqyKua6C6j
RvKRl/gAur9fVH4KP6ZexBQEqDKMpIYrDK3O1CrszqQ3MMikAW4G+MifSYVRWxq4
6N/3cGReKBs=
=odjj
- -----END PGP SIGNATURE-----