Slashdot Mirror

← Back to Stories (view on slashdot.org)

HomeSec Warns Again About Microsoft's Insecurity

Posted by michael on from the repatch-and-sin-no-more dept.

cbrandtbuffalo writes "The Department of Homeland Security has posted this advisory about an impending attack on MS systems. This RPC attack has already been seen in some localized systems, but may spread as unpatched computers are exploited. Some of the national news like CNN are running stories too."

7 of 497 comments (clear)

  1. Re:How big a threat is this? by diersing · · Score: 4, Informative
    It could be bad if the Windows admins out there aren't paying attention. But, most sysadmins in MS shops realize the frequency of these kind of patches and are good about applying them timely. This was released over 10 days ago (I got notified on the 19th), and have already applied it to the 350+ MS servers on our network. If the lazy admin has configured auto-update they are protected as well.

    The primary vehicle for spreading this type of exploit, are all the MS clients of broadband users, many untechy PC owners will be to blame if this things hits hard. And yes, I think it could be worst then slammer/code red because its RPC. Pretty much all the MS client out there are going to have it running (versus an IIS exploit).

  2. Re:Pretty Bad by pascalb3 · · Score: 5, Informative

    Check out CERT, a good site for this stuff. Here's their warning (more info than DHS). A list of what they have to block:
    135/TCP
    135/UDP
    139/TCP
    139/UDP
    445/TC P
    445/UDP

    Also, it appears 4444 is being used,

    Security Focus's incidentmailing list is also enlightening. And for good measure, a posting on the ineffectiveness one of MS's patch (as of 29 Jul).

  3. Re:Pretty Bad by Troed · · Score: 4, Informative
    Mod parent down. Bugtraq posting listing several other attack vectors:

    • ncacn_ip_tcp : TCP port 135
    • ncadg_ip_udp : UDP port 135
    • ncacn_np : \pipe\epmapper, normally accessible via SMB null session on TCP ports 139 and 445
    • ncacn_http : if active, listening on TCP port 593.

    • ... and finally, even port 80 might be used if ncacn_http is active, and COM Internet Services is
      installed and enabled.
    --
    it's in my head
  4. Re:How big a threat is this? by mark_lybarger · · Score: 4, Informative

    maybe you were going for +1 phunny, but i'll swing anyway.

    Windows XP isn't really a upgrade for Win98 machines. Win 98 was delivered on PII 266mhz, 32/64MB RAM, 2-4MB PCI Video systems. I would hate to try anything on a system like that with XP. Sure the CPU could handle it, but the memory would need to be seriously upgraded. There's also the issue regarding device drivers. There's a LOT of hardware out from that time period that doesn't have XP drivers.

  5. Re:How big a threat is this? by saskwach · · Score: 5, Informative

    Someone did their reporting wrong. The huge gaping flaw that was announced recently pertained only to computers with the NT kernel (WinNT, Win2000, WinServ2003, WinXP). This vulnerability does NOT affect 98/98SE/ME/95/3.1/whathaveyou.

  6. Linux Users? by Chibi+Merrow · · Score: 5, Informative

    I'm a tech on a Windows network for the local government here and we immediately disable Automatic updates on machines now. Lord knows it's not because we're Linux users (I'm the only one) but because the updates all too often BREAK things that were already working.

    --
    Maxim: People cannot follow directions.
    Increases in truth directly with the length of time spent explaining them
  7. Re:Port/Process utility for Windows? by gregarican · · Score: 4, Informative
    Search for a utility called FPort. It will map out all of the active PID's with the TCP/UDP port and associated process. Some processes can hide themselves through rundll32.exe (Win9x) or svchost.exe (WinNT/2K/XP), however.

    But you can get an idea about what ports are sitting out there either listening or actively transferring.