Slashdot Mirror

← Back to Stories (view on slashdot.org)

HomeSec Warns Again About Microsoft's Insecurity

Posted by michael on from the repatch-and-sin-no-more dept.

cbrandtbuffalo writes "The Department of Homeland Security has posted this advisory about an impending attack on MS systems. This RPC attack has already been seen in some localized systems, but may spread as unpatched computers are exploited. Some of the national news like CNN are running stories too."

10 of 497 comments (clear)

  1. Re:How big a threat is this? by diersing · · Score: 4, Informative
    It could be bad if the Windows admins out there aren't paying attention. But, most sysadmins in MS shops realize the frequency of these kind of patches and are good about applying them timely. This was released over 10 days ago (I got notified on the 19th), and have already applied it to the 350+ MS servers on our network. If the lazy admin has configured auto-update they are protected as well.

    The primary vehicle for spreading this type of exploit, are all the MS clients of broadband users, many untechy PC owners will be to blame if this things hits hard. And yes, I think it could be worst then slammer/code red because its RPC. Pretty much all the MS client out there are going to have it running (versus an IIS exploit).

  2. Re:Pretty Bad by pascalb3 · · Score: 5, Informative

    Check out CERT, a good site for this stuff. Here's their warning (more info than DHS). A list of what they have to block:
    135/TCP
    135/UDP
    139/TCP
    139/UDP
    445/TC P
    445/UDP

    Also, it appears 4444 is being used,

    Security Focus's incidentmailing list is also enlightening. And for good measure, a posting on the ineffectiveness one of MS's patch (as of 29 Jul).

  3. Re:Pretty Bad by Troed · · Score: 4, Informative
    Mod parent down. Bugtraq posting listing several other attack vectors:

    • ncacn_ip_tcp : TCP port 135
    • ncadg_ip_udp : UDP port 135
    • ncacn_np : \pipe\epmapper, normally accessible via SMB null session on TCP ports 139 and 445
    • ncacn_http : if active, listening on TCP port 593.

    • ... and finally, even port 80 might be used if ncacn_http is active, and COM Internet Services is
      installed and enabled.
    --
    it's in my head
  4. Re:How big a threat is this? by mark_lybarger · · Score: 4, Informative

    maybe you were going for +1 phunny, but i'll swing anyway.

    Windows XP isn't really a upgrade for Win98 machines. Win 98 was delivered on PII 266mhz, 32/64MB RAM, 2-4MB PCI Video systems. I would hate to try anything on a system like that with XP. Sure the CPU could handle it, but the memory would need to be seriously upgraded. There's also the issue regarding device drivers. There's a LOT of hardware out from that time period that doesn't have XP drivers.

  5. Re:Pretty Bad by I8TheWorm · · Score: 3, Informative

    Actually, 135, 139, and 445.

    NetBEUI = Port 135 netBEUI is only required when you have non-Windows 2000 clients to support. However, NetBIOS over TCP/IP prevents any need for NetBEUI. These days NetBEUI is the usual answer for connection problems that turn out to be name resolution or NetBIOS configuration problems. The other ports listed, 139 and 445, are used for Server Message Block (which with Win2000 can run directly over TCP/IP rather than needing to run on top of NetBIOS) respectively. SMB is a file sharing protocol used in Windows. The attempt hits 445, and if it's succesful, it sends an RST to 139 (if NetBIOS is installed, otherwise 139 is never used). If there's no response from 445, it continues the SMB session over 139.

    --
    Saying Android is a family of phones is akin to saying Linux is a family of PCs.
  6. Re:How big a threat is this? by saskwach · · Score: 5, Informative

    Someone did their reporting wrong. The huge gaping flaw that was announced recently pertained only to computers with the NT kernel (WinNT, Win2000, WinServ2003, WinXP). This vulnerability does NOT affect 98/98SE/ME/95/3.1/whathaveyou.

  7. Linux Users? by Chibi+Merrow · · Score: 5, Informative

    I'm a tech on a Windows network for the local government here and we immediately disable Automatic updates on machines now. Lord knows it's not because we're Linux users (I'm the only one) but because the updates all too often BREAK things that were already working.

    --
    Maxim: People cannot follow directions.
    Increases in truth directly with the length of time spent explaining them
  8. Re:How big a threat is this? by kikta · · Score: 3, Informative

    Pretty sure they don't. I believe this is something only on the NT side of the house.

  9. Fixes by DanV · · Score: 3, Informative

    If I understand right, 4444 is the port the exploit for the DCOM bug connects to.
    I updated all my systems,and firewalled 135/139/445(UDP and TCP) and 4444(TCP).
    I know I am gonna get modded down for this,but if you dont have already, I suggest you fix this ASAP.
    You can get the fix from here for windows 2000, and here for windows xp.

    The exploit has it in the code:

    target_ip.sin_port = htons(4444);

    Also, notice the comment about the shell code:
    /* port 4444 bindshell */

    Dan
    Security consultant
    ClickNews

  10. Re:Port/Process utility for Windows? by gregarican · · Score: 4, Informative
    Search for a utility called FPort. It will map out all of the active PID's with the TCP/UDP port and associated process. Some processes can hide themselves through rundll32.exe (Win9x) or svchost.exe (WinNT/2K/XP), however.

    But you can get an idea about what ports are sitting out there either listening or actively transferring.