Dear Valued Microsoft Education Customer,
 
We are contacting you today to make you aware that we have released Microsoft Security Bulletin MS03-039 today, September 10, 2003. This bulletin details three critical vulnerabilities in the Windows operating system and provides instructions for applying the corresponding patch.  While there is currently no active exploit of this vulnerability, if successfully exploited, these vulnerabilities would allow an attacker to gain control of the target system.
 
We strongly encourage you to obtain and deploy this patch to any affected system that connects to your infrastructure; this includes systems on your local area network and remote or mobile systems.  For the most current information on affected systems and recommended remediation steps, please read the bulletin posted at:
 
http://email.microsoft.com/m/s.asp?HB10116521214X2690708X244964X
 
We understand the potential effect this situation and the recommended remediation steps may have on you.  Microsoft is committed to providing you with information and tools to help run your enterprise safely and reliably on an on-going basis.  When we become aware of vulnerabilities, it is our goal to quickly share protection and remediation information and work in partnership with you to eliminate these kinds of threats to your business.  In order to help protect your computing environment from security vulnerabilities, we strongly encourage you to visit
http://email.microsoft.com/m/s.asp?HB10116521214X2690709X244964X 
and implement the following three steps in your enterprise:
 
1. Verify firewall configuration.  Audit Internet and intranet firewalls to ensure they comply with your security policy; these are your first line of defense.  In addition, evaluate using host-level firewalls such as the Internet Connection Firewall in Windows XP.  This is especially important for systems such as laptops and home   PCs that connect to your network remotely.
 
2. Stay up-to-date.  Use update services from Microsoft to keep your systems up-to-date. These services include three main components:
         (a) Automatic Updates, available on Windows XP, Windows 2000 SP3 and                 SP4, and Windows Server 2003.  Automatic Updates works with the Windows Update Web site to automate the process of updating Windows systems.
          (b) Software Update Services (SUS), a patch-distribution server available for download from our Web site. SUS enables you deploy a server in your enterprise that Automatic Updates clients will use to get only approved and           tested patches.
           (c) Systems Management Server (SMS) is a flexible, enterprise-wide software update and systems management product.
 
In addition to using these update services, we strongly recommend that you subscribe to Microsoft's free security notification service at
 
http://email.microsoft.com/m/s.asp?HB10116521214X2690710X244964X,
 
so that you are proactively kept aware of new security issues.
 
3. Use and keep antivirus software up-to-date.  Antivirus software programs will help protect your systems against viruses and other malicious code.  To protect your systems from new viruses, it's also important to obtain up-to-date antivirus signatures through a subscription service from the antivirus software vendor. You should not let remote users or laptops connect to your network unless they have up-to-date antivirus software installed. In addition, consider using antivirus software in multiple points of your computer infrastructure, such as on edge Web proxy systems, as well as on email servers and gateways.
 
You should also protect your network by requiring employees to take the same three steps with home and laptop PCs they use to remotely connect to your enterprise, and by encouraging them to talk with friends and family to do the same with their PCs.  To make this easier, we have set up a new Web site to assist PC users at
http://email.microsoft.com/m/s.asp?HB10116521214X2690712X244964X
 
Again, we want to encourage you to read this security bulletin and deploy the patch to your systems.  We want to thank you for your patience and work with you to protect your business from these kinds of security threats.
 
 
Thank you,
 
Microsoft Corporation
 
SECURITY BULLETIN:
 
Title:     Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
Date:      September 10, 2003
Software:  Microsoft Windows NT Workstation 4.0
           Microsoft Windows NT Server(r) 4.0
           Microsoft Windows NT Server 4.0, Terminal Server Edition
           Microsoft Windows 2000
           Microsoft Windows XP
           Microsoft Windows Server 2003 
Impact:    Run code of attacker's choice
Max Risk:  Critical
Bulletin:  MS03-039
 
Microsoft encourages customers to review the Security Bulletins at:
   
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
http://www.microsoft.com/security/security_bulletins/MS03-039.asp
 
- - -----------------------------------------------------------------
 
Issue:
======
 
The fix provided by this patch supersedes the one included in Microsoft Security Bulletin MS03-026.
 
Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly access services on another computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.
 
There are three identified vulnerabilities in the part of RPCSS Service that deals with RPC messages for DCOM activation--two that could allow arbitrary code execution and one that could result in a denial of service. The flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the Distributed Component Object Model (DCOM) interface within the RPCSS service. This interface handles DCOM object activation requests that are sent from one machine to another.
 
An attacker who successfully exploited these vulnerabilities could be able to run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.
 
To exploit these vulnerabilities, an attacker could create a program to send a malformed RPC message to a vulnerable system targeting the RPCSS Service.
 
Microsoft has released a tool that can be used to scan a network for the presence of systems which have not had the MS03-039 patch installed. More details on this tool are available in Microsoft Knowledge Base article 827363. This tool supersedes the one provided in Microsoft Knowledge Base article 826369. If the tool provided in Microsoft Knowledge Base Article 826369 is used against a system which has installed the security patch provided with this bulletin, the superseded tool will incorrectly report that the system is missing the patch provided in MS03-026. Microsoft encourages customers to run the latest version of the tool available in Microsoft Knowledge Base article 827363 to determine if their systems are patched.
 
Mitigating Factors:
====================
 - Firewall best practices and standard default firewall configurations can help protect networks from remote attacks originating outside of the enterprise perimeter. Best practices recommend blocking all ports that are not actually being used. For this reason, most systems attached to the Internet should
have a minimal number of the affected ports exposed.
 
Risk Rating:
============
 - Critical
 
Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the Security Bulletins at
 
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
http://www.microsoft.com/security/security_bulletins/MS03-039.asp
 
for information on obtaining this patch.
 
Acknowledgment:
===============
 - eEye Digital Security (http://www.eeye.com/html)
 - NSFOCUS Security Team (http://www.nsfocus.com)
 - Xue Yong Zhi and Renaud Deraison from Tenable Network Security
   (http://www.tenablesecurity.com)
 
for reporting the buffer overrun vulnerabilities and working with us to protect customers. 
- - -----------------------------------------------------------------
 
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
 
 
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.