US-CERT Technical Cyber Security Alert TA08-297A -- Microsoft Windows Server Service RPC Vulnerability

Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-297A

Microsoft Windows Server Service RPC Vulnerability

Original release date: October 23, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003
* Microsoft Windows Vista
* Microsoft Windows Server 2008


A vulnerability in the way the Microsoft Windows server service
handles RPC requests could allow an unauthenticated, remote
attacker to execute arbitrary code with SYSTEM privileges.

I. Description

Microsoft has released Microsoft Security Bulletin MS08-067 to
address a buffer oveflow vulnerability in the Windows Server
service. The vulnerability is caused by a flaw in the way the
Server service handles Remote Procedure Call (RPC) requests. For
systems running Windows 2000, XP, and Server 2003, a remote,
unauthenticated attacker could exploit this vulnerability. For
systems running Windows Vista and Server 2008, a remote attacker
would most likely need to authenticate.

Microsoft Security Bulletin MS08-067 rates this vulnerability as
"Critical" for Windows 2000, XP, and Server 2003. The bulletin also
notes ", targeted attacks attempting to exploit the

This vulnerability has been assigned CVE-2008-4250. Further
information is available in a Security Vulnerability & Research
blog entry and US-CERT Vulnerability Note VU#827267.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code or
cause a vulnerable system to crash. Since the Server service runs
with SYSTEM privileges, an attacker could take complete control of
a vulnerable system.

III. Solution

Apply update

Microsoft has provided updates for this vulnerability in Microsoft
Security Bulletin MS08-067. Microsoft also provides security
updates through the Microsoft Update web site and Automatic
Updates. System administrators should consider using an automated
update distribution system such as Windows Server Update Services

Disable Server and Computer Browser services

Disable the Server and Computer Browser services on Windows systems
that do not require those services. A typical Windows client that
is not sharing files or printers is unlikely to need either the
Server or Computer Browser services. As a best security practice,
disable all unnecessary services.

Restrict access to server service

Restrict access to the server service (TCP ports 139 and 445). As a
best security practice, only allow access to necessary network

Filter affected RPC identifier

The host firewalls in Windows Vista and Windows Server 2008 can
selectively filter RPC Universally Unique Identifiers (UUID). See
Microsoft Security Bulletin MS08-067 for instructions to filter RPC
requests with the UUID equal to

IV. References

* US-CERT Vulnerability Note VU#827267 -

* Microsoft Security Bulletin MS08-067 -

* Microsoft Update - <>

* Windows Update: Automatic Update

* Windows Server Update Services (WSUS) Home -

* CVE-2008-4250 -

* More detail about MS08-067, the out-of-band netapi32.dll
security update -


The most recent version of this document can be found at:


Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@xxxxxxxx> with "TA08-297A Feedback VU#827267" in
the subject.

For instructions on subscribing to or unsubscribing from this
mailing list, visit <>.

Produced 2008 by US-CERT, a government organization.

Terms of use:


Revision History

October 23, 2008: Initial release

Version: GnuPG v1.4.5 (GNU/Linux)


Relevant Pages

  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
  • SecurityFocus Microsoft Newsletter #155
    ... Does Microsoft Give a Damn? ... WideChapter HTTP Request Buffer Overflow Vulnerability ... MiniHTTPServer WebForums Server Default Password Vulnerabili... ... Microsoft Windows platforms. ...
  • SecurityFocus Microsoft Newsletter #122
    ... Spooked about Windows security? ... This event is fully supported by Microsoft. ... Blackboard Learning System SQL Injection Vulnerability ... Sambar Server results.stm Cross Site Scripting Vulnerability ...
  • SecurityFocus Microsoft Newsletter #83
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft IIS CodeBrws.ASP Source Code Disclosure Vulnerability ... Microsoft Internet Explorer History List Script Injection ... Microsoft Windows 2000 Lanman Denial of Service Vulnerability ...
  • SecurityFocus Microsoft Newsletter #49
    ... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ...