In-Depth

Briefs: RPC/DCOM Vulnerability, Budgets Impact Regulatory Compliance

Microsoft offers patch to a critical Windows problem; survey shows few companies are in regulatory compliance

• By Mathew Schwartz
• 08/06/2003

Security managers should immediately patch systems against a “critical”—the most serious—vulnerability, says Microsoft. The problem affects Windows NT 4.0, Windows NT 4.0 Terminal Services Edition, Windows 2000, Windows XP, and Windows Server 2003. Windows 9x and Millennium editions are not affected.

The vulnerability arises from a flaw in the Remote Procedure Call, an inter-process communication mechanism used by Windows that allows a program running on one computer to execute code on a remote system. In particular, the software incorrectly handles malformed TCP/IP messages. A correctly malformed message will let an attacker execute code on a user’s system. “The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges,” notes Microsoft.

In particular, the message must be sent to a specific RPC port: 135, 139, or 445. Most firewalls, notes Microsoft, including the Windows Internet Connection Firewall, block those ports by default.

The Distributed Component Object Model (DCOM), which listens for messages, is also to blame. Administrators should deactivate DCOM where it is not needed, as it will help machines resist this exploit, says Microsoft.

Microsoft's Security Bulletin MS03-026: can be found here: http://info.101com.com/default.asp?id=2405

Regulatory Compliance Suffers Because of Insufficient Security Budgets

Overall, security spending—on technology, education, training, and infrastructure—continues to slip, and more than half of companies surveyed by Ernst & Young cited an insufficient budget as the primary obstacle to effectively implementing needed security.

Those are some of the findings released by Ernst & Young from its 6th Annual Global Information Security Survey, with feedback from 1,400 companies representing 26 industries across 66 countries.

Budget constraints may be the reason for such non-compliance; only one-third of organizations say they’re compliant with applicable regulations. Roughly one-third of respondents also rate themselves as “less than adequate” when it comes to detecting attacks on their systems. A similar number rate their incident response as inadequate.

"There's a clear disconnect between what organizations define as a major business objective—protecting their information resources—and where they allocate funding," says Mark Doll, Americas Director of Ernst & Young's Security Services.

He blames an unhealthy focus by senior executives on media reports of the latest virus or worm outbreak. Instead, he recommends companies focus on less publicized threats—disgruntled employees, ex-employees, network links to business partners with untrustworthy systems, theft of laptop and handheld computers, and insecure wireless access points set up by employees. "These factors can not only cause serious information security damage but also severely damage a company's reputation.” In addition, he says that focus will help companies correctly prioritize security spending.

The survey can be found at http://www.ey.com/globalsecuritysurvey.