In 2021, Microsoft acknowledged a critical vulnerability in its Distributed Component Object Model (DCOM) protocol. Even if you’ve never heard of DCOM, there’s a high likelihood that your current software systems rely on it in order to function properly. If you don’t already have plans in place to assess and remediate the problem, then you need to act quickly because the security measures being implemented by Microsoft could break your existing software. Beginning in March of 2023, you won’t be able to disable Microsoft’s changes, and you may be left with no short-term workarounds.
What is DCOM?
DCOM is a proprietary protocol developed by Microsoft and used in many Windows applications. It enables software programs to communicate with other programs and components across a network. Typically, this communication takes place behind the scenes, – usually without the user even being aware of it.
The DCOM security vulnerability, known as CVE-2021-26414, can only be exploited via a successful phishing attack, and it only affects certain versions of the Microsoft Windows operating system. Nevertheless, Microsoft’s security fix will apply to all currently supported versions of Windows.
Microsoft’s solution to the DCOM vulnerability is to require an elevated level of authorization for a program to communicate with another software component using DCOM successfully.
That’s an appropriate response; but what if your software isn’t already designed to authenticate itself using those stricter security standards? The short answer is that it may not perform as expected. How your software performs with a reduced authentication will be application specific, but users may see cryptic errors, or no errors and instead a reduced, or loss of, application function.
Knowing this, Microsoft has chosen to take a measured approach toward hardening DCOM security, giving customers adequate time to make the necessary adjustments, and ensuring that their systems continue to operate as expected. In addition, Microsoft has added DCOM-specific error logging within the Windows System Log to assist users with identifying potential issues.
Microsoft’s Phased Plan for Addressing the DCOM Vulnerability
As noted, it has far-reaching implications, so in order to avoid breaking their customers’ existing software, Microsoft is taking a phased approach to addressing the issue:
- Starting in June of 2021, Microsoft made changes to its operating systems to harden them against this vulnerability, as described in their knowledgebase article MS KB5004442. By default, however, the new, higher security standards were turned off. System administrators could enable them simply by editing the Windows registry.
- Since June 2022, the increased security levels have been enabled by default. Customers who have not yet made the necessary assessments and changes to their software systems can disable these changes by editing the Windows registry.
- Beginning on March 14, 2023, customers will no longer have the option of disabling the elevated authorization requirements for applications that use DCOM. In other words, any of your applications that don’t meet the requirement for operating under the new security standard will cease to work properly.
There are other important questions that could affect the impact of these changes on individual companies. If your Microsoft servers and workstations are separate, isolated systems, or are not required to accept automatic Windows updates, for example, and if you have no plans to install updated versions of the applications that run on them, then you might be able to forestall potential problems by avoiding any changes to your systems.
Nevertheless, it’s extremely likely that you will need to deal with the DCOM hardening issue eventually. At Flexware, we highly recommend that our customers perform a proactive assessment of critical systems and develop plans to ensure their business processes are not interrupted when the March 2023 changes become permanent and irreversible.
An Example from the Manufacturing World
As a leading IT service provider to global manufacturing companies, Flexware is working diligently with our customers to assess their level of risk and implement plans to update their systems accordingly. Typically, we do this in collaboration with the software companies and other technology vendors who serve these customers, – as they too are acutely aware of the potential dangers customers could face if they don’t address DCOM hardening before
March of 2023.
Rockwell Automation, for example, serves tens of thousands of manufacturing customers around the world with equipment and software that supports shop floor automation and digital transformation. When managers at Rockwell first heard about the DCOM vulnerability, they performed a thorough assessment of their software applications and the potential impact on manufacturing customers. They discovered that over 40 software products were affected by the change, – either directly or indirectly.
They released a schedule of pending changes to the software, along with guidelines and recommendations for customers using Rockwell’s products. First, the line was a tool for disabling the Microsoft updates turned on by default starting in June of 2022. Rockwell also announced changes to all affected products, implementing the necessary DCOM authorizations in all releases scheduled for March 2022 or later.
Just as importantly, Rockwell has issued guidelines for rolling out these changes. Mixing patched software with unpatched software, for example, may cause problems if the appropriate settings are not applied properly in Microsoft Windows. Testing systems throughout this process, likewise, is critical to ensuring a smooth transition.
Start with a Proactive Assessment
Most manufacturers are running a multitude of different systems, many of which are interdependent. That’s one of the problems that makes this issue especially challenging; DCOM, but its very nature, is essential to programmatic communication among different software applications and components. Even if an application is not directly affected, it may be impacted by the failure of other applications to conform to Microsoft’s DCOM hardening measures.
The bottom line: This can get complicated, and the best way to approach it is to undergo a thorough and systematic assessment of your application environment. March of 2023 is a hard deadline; and for companies running business-critical applications on the Windows operating system, the clock is ticking.
Flexware Innovation is working with many of our clients to assess their risk, communicate with software vendors, evaluate options for moving forward, and implement changes to ensure business continuity. If you would like to have a conversation about the impact of DCOM hardening on your business, please reach out to us for a free, no-obligation consultation.
Director of Marketing
I’m drawn to better and smarter ways of working and communicating. Many times that involves technology. Sometimes it doesn’t. Either way, work can and should be improved – continuously. I’m drawn to the mission of Flexware Innovation for these reasons. We’re committed to unleashing the potential of technology, freeing up leaders to focus on what’s next.