Why you must install a firewall NOW
If you haven't already installed a personal firewall on your Windows computer, consider this your last warning.

MSBlast, the recent worm that exploited the buffer overflow in Windows's DCOM RPC protocol, wasn't the sort of e-mail-borne pest that antivirus software is good at catching. Instead, it infiltrated computers directly through their Internet connections.

Although installing the latest Microsoft patches should prevent infections from this sort of worm, a simple software firewall will do the trick, too, whether or not you have antivirus software installed.

I MENTION THIS because Microsoft announced last week another critical flaw affecting DCOM RPC, and released a new patch to fix it that supercedes the previous patch for this protocol. While there are still no public exploits that take advantage of this flaw (exploits are often precursors to major worms), the clock is ticking. History has shown that worms are usually released within 30 days of a major vulnerability announcement.

In July, for example, Microsoft reported and patched a buffer overflow vulnerability in RPC based on the work of the Last Stage of Delirium Research Group. The MSBlast worm, which capitalized on this vulnerability, appeared on Aug. 12.

Last Wednesday, based on additional research by the companies eEye Digital Security, NSFOCUS, and Tenable Network Security, Microsoft reported two more buffer overflows and one denial-of-service vulnerability within its RPC protocol. The fact that it is similar to the first flaw could mean a shorter timeline to the next major RPC worm.

The Remote Procedure Call (RPC) is a protocol used by the Windows operating system. It's based on an RPC protocol from the Open Software Foundation, but it's the Microsoft-specific parts that are afflicted with vulnerabilities. The Distributed Component Model (DCOM), previously called Network Object Linking and Embedding (OLE), is a service that allows software on one computer to communicate directly with software on other computers over a network. In short, DCOM RPC in Windows allows a program on one machine to run code on another machine. To do so, a Windows computer must first listen on a dedicated port, usually 135.

…RPC, like other services that use DCOM, is turned on by default for all Windows versions, whether or not you are working on a network. Also, when your system's connected to the Internet, DCOM makes Windows automatically listen on port 135 (and others) for remote signals. This means a hacker need only construct a special message and aim it at port 135 on your Windows computer to cause a buffer overflow error. The buffer overflow, in turn, could replace part of a program's original code with new code.

That's how a hacker could use this flaw to take over your computer remotely. Upon seizing control of your computer, a hacker could then reformat the hard drive, use the computer to damage other computers, or steal personal data. (Note that this description makes it sound easier than it truly is to execute.)

http://www.zdnet.com/anchordesk/stories/story/0,10738,2914667,00.html