http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp From Patrick Steele, this looks like a pretty serious problem, patch now to avoid another Blaster...

UPDATE: Thought I'd include the technical details...this could be even more serious than the flaw which allowed Blaster to propogate...hopefully everyone turning on their Internet Connection Firewall / getting a hardware firewall after blaster will prevent spreading (I still see incoming Blaster / Nachi attempts on 135 every couple of minutes...)

Technical description:

The fix provided by this patch supersedes the one included in Microsoft Security Bulletin MS03-026.

Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly access services on another computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.

There are three identified vulnerabilities in the part of RPCSS Service that deals with RPC messages for DCOM activation— two that could allow arbitrary code execution and one that could result in a denial of service. The flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the Distributed Component Object Model (DCOM) interface within the RPCSS Service. This interface handles DCOM object activation requests that are sent from one machine to another.

An attacker who successfully exploited these vulnerabilities could be able to run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

To exploit these vulnerabilities, an attacker could create a program to send a malformed RPC message to a vulnerable system targeting the RPCSS Service.

Microsoft has released a tool that can be used to scan a network for the presence of systems which have not had the MS03-039 patch installed. More details on this tool are available in Microsoft Knowledge Base article 827363. This tool supersedes the one provided in Microsoft Knowledge Base article 826369. If the tool provided in Microsoft Knowledge Base Article 826369 is used against a system which has installed the security patch provided with this bulletin, the superseded tool will incorrectly report that the system is missing the patch provided in MS03-026. Microsoft encourages customers to run the latest version of the tool available in Microsoft Knowledge Base article 827363 to determine if their systems are patched.

Mitigating factors:

• Firewall best practices and standard default firewall configurations can help protect networks from remote attacks originating outside of the enterprise perimeter. Best practices recommend blocking all ports that are not actually being used. For this reason, most systems attached to the Internet should have a minimal number of the affected ports exposed.

  For more information about the ports used by RPC, visit the following Microsoft Web site: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappc.asp

Severity Rating:

	Windows NT 4.0 Server	Windows NT 4.0, Terminal Server Edition	Windows 2000	Windows XP	Windows Server 2003
Buffer Overrun Vulnerabilities	Critical	Critical	Critical	Critical	Critical
---	---	---	---	---	---
Denial of Service Vulnerability	None	None	Important	None	None
---	---	---	---	---	---
Aggregate Severity of all Vulnerabilities	Critical	Critical	Critical	Critical	Critical
---	---	---	---	---	---

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: Buffer Overrun: CAN-2003-0715

Buffer Overrun: CAN-2003-0528

Denial of Service: CAN-2003-0605

Tested Versions: Microsoft tested Windows Millennium Edition, Windows NT 4.0 Server, Windows NT 4.0 Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.