It has been reported that Microsoft Windows Workstation (WKSSVC.DLL) service is prone to a vulnerability that may allow a remote attacker to gain unauthorized access to a vulnerable host. The problem is in the handling of requests by the Workstation Service. The Workstation Service does not properly check bounds on remote data therefore making it possible to overwrite sensitive regions of system memory.
Block external access at the network boundary, unless external parties require service.
Filter network traffic of questionable integrity at network boundaries. Use ingress and egress filtering to block the entry and exit of prohibited traffic. Since the service binds to a number of ports, including random ports over 1024, it is strongly encouraged that all ports that do not explicitly require remote access are filtered. Filter all traffic destined for internal broadcast addresses. Employ the use of a stateful inspection firewall or application proxy server to ensure that incoming UDP packets with source port 53 are in fact DNS packets and, of those, only expected replies to internally transmitted DNS queries are allowed in.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Use network intrusion detection systems to monitor networks for anomalous activity and report attempted attacks against network resources.
Disable any services that are not needed.
Systems not requiring the ability of remote users to execute commands should disable remote procedure call (RPC) where possible.
Microsoft has released security advisory MS03-049 to address this issue. Users are strongly advised to obtain fixes, as new attacker vectors greatly increase the speed of an attack on a targeted network. Cisco has released a security advisory detailing affected Cisco products. See referenced advisory for details concerning obtaining fixes.