Microsoft Security Advisory (921923)

Purpose of Advisory: Notification of the availability of a security update to help protect against this potential threat.

Advisory Status: As this issue is already addressed as part of the MS06-025 security bulletin, no additional update is required.

Recommendation: Install MS06-025 security update to help protect against this vulnerability.

This advisory discusses the following software.

What is the scope of the advisory?
Microsoft is aware of public posting of exploit code targeting vulnerabilities identified in Microsoft Security Update MS06-025. This affects the software that is listed in the “Overview” section

Is this a security vulnerability that requires Microsoft to issue a security update?
No. Customers who have installed the MS06-025 security update are not affected by this vulnerability. No additional update is required.

What causes this threat?
An unchecked buffer in Routing and Remote Access technologies specifically affecting the Remote Access Connection Manager Service (RASMAN)

What does the feature do?
The Remote Access Connection Manager is a service that handles the details of establishing the connection to the remote server. This service also provides the client with status information during the connection operation. The Remote Access Connection Manager starts automatically when an application loads the RASAPI32.DLL

What might an attacker use this function to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.

Are there any known issues with installing Microsoft Security Update MS06-025 that protects against this threat?
Microsoft Knowledge Base Article 911280documents the currently known issues that customers may experience when they install the security update. Only customers who use dial-up connections that use scripts that configure their device for parity, stop bits or data bits or a post-connect terminal window or dial-up scripting, are affected by the issues identified in the KB article. If customers do not use any of the dial-up scenarios identified they are encouraged to install the update immediately..

If you have installed the update released with Security Bulletin MS06-025, you are already protected from the attack identified in the publicly posted proof of concept code. If you have not installed the update or are affected by any of the scenarios identified in Microsoft Knowledge Base Article 911280 customers are in encourage to disable the Remote Access Connection Manager Service.

• Disable the Remote Access Connection Manager service

  Disabling the Remote Access Connection Manager service will help protect the affected system from attempts to exploit this vulnerability. To disable the Remote Access Connection Manager (RASMAN) service, follow these steps:

  1. Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.
  2. Double-click Administrative Tools.
  3. Double-click Services.
  4. Double-click Remote Access Connection Manager
  5. In the Startup type list, click Disabled.
  6. Click Stop, and then click OK.

  You can also stop and disable the Remote Access Connection Manager (RASMAN) service by using the following command at the command prompt:

  sc stop rasman & sc config rasman start= disabled

  Impact of Workaround: If you disable the Remote Access Connection Manager service, you cannot offer routing services to other hosts in local area and wide area network environments. Therefore, we recommend this workaround only on systems that do not require the use of RASMAN for remote access and routing.

• Block the following at the firewall:
  • UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
  • All unsolicited inbound traffic on ports greater than 1024
  • Any other specifically configured RPC port

  These ports are used to initiate a connection with RPC. Blocking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports that RPC uses, visit the following Web site.

• To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Internet Connection Firewall, which is included with Windows XP and with Windows Server 2003.

  By default, the Internet Connection Firewall feature in Windows XP and in Windows Server 2003 helps protect your Internet connection by blocking unsolicited incoming traffic. We recommend that you block all unsolicited incoming communication from the Internet. In Windows XP Service Pack 2 this features is called the Windows Firewall.

  To enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:

  1. Click Start, and then click Control Panel.
  2. In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.

  To configure Internet Connection Firewall manually for a connection, follow these steps:

  1. Click Start, and then click Control Panel.
  2. In the default Category View, click Networking and Internet Connections, and then click Network Connections.
  3. Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.
  4. Click the Advanced tab.
  5. Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.

  Note If you want to enable certain programs and services to communicate through the firewall, click Settings on the Advanced tab, and then select the programs, the protocols, and the services that are required.

• Customers who believe they have been attacked should contact their local FBI office or post their complaint on theInternet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.
• Customers in theU.S. and Canada who believe they may have been affected by this possible vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site.
  
  All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.
• For more information about staying safe on the Internet, customers can visit theMicrosoft Security Home Page.
• Keep Windows Updated

  All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.