W4. Windows Services

W4.1 Description

The family of Windows Operating systems supports a wide variety of services, networking methods and technologies. Many of these components are implemented as Service Control Programs (SCP) under the control of Service Control Manager (SCM), which runs as Services.exe. Vulnerabilities in these services that implement these Operating System functions are one of the most common avenues for exploitation.
Several of the core system services provide remote interfaces to client components through Remote Procedure Calls (RPC). They are mostly exposed through named pipe endpoints accessible through the Common Internet File System (CIFS) protocol, well known TCP/UDP ports and in certain cases ephemeral TCP/UDP ports. Historically, there have been many vulnerabilities in services that can be exploited by anonymous users. When exploited, these vulnerabilities afford the attacker the same privileges that the service had on the host.

Earlier versions of the operating system, especially Windows NT and Windows 2000, enabled many of these services by default for a better out of the box experience. These non essential services increase the exploit surface significantly.
The critical vulnerabilities were reported in the following Windows Services within the past year:

• Server Service (MS06-040, MS06-035)


• iRouting and Remote Access Service (MS06-025)


• Exchange Service (MS06-019)

Exploit code is available for these vulnerabilities. For instance, the vulnerability addressed by hotfix MS06-040 was exploited by the worms W32.Dasher.G and W32.Spybot.AKNO.

W4.2 Operating Systems Affected

Windows 2000 Workstation and Server, Windows XP Home and Professional, and Windows 2003 are all potentially vulnerable.

W4.3 CVE Entries
CVE-2006-0027,
CVE-2006-1314,
CVE-2006-2370,
CVE-2006-2371,
CVE-2006-3439

W4.4 How to Determine If You Are at Risk

• Use any vulnerability scanner to check whether your systems are patched against these vulnerabilities. You can also consider using the Microsoft Windows Server Update Services (WSUS), Microsoft Baseline Security Analyzer (MBSA), Windows Live Scanner or Systems Management Server (SMS) to check the security patch status of your systems.


• You can also verify the presence of a patch by checking the registry key mentioned in the Registry Key Verification section of the corresponding security advisory. Additionally, it is advisable to also make sure the updated file versions mentioned in the advisory are installed on the system.


• To check if your system is vulnerable to an issue in an optional service, you need to determine if the service is enabled. This can be done through the Service Manager interface, which can be invoked from Services in Administrative Tools.