Slashdot Mirror

← Back to Stories (view on slashdot.org)

HomeSec Warns Again About Microsoft's Insecurity

Posted by michael on from the repatch-and-sin-no-more dept.

cbrandtbuffalo writes "The Department of Homeland Security has posted this advisory about an impending attack on MS systems. This RPC attack has already been seen in some localized systems, but may spread as unpatched computers are exploited. Some of the national news like CNN are running stories too."

15 of 497 comments (clear)

  1. Pretty Bad by the.jedi · · Score: 5, Insightful

    My friend works at MIT's network security.
    From wednesday to thursday they're compromise rate
    went from 3 computers an hour to 30.
    Right now they're just blocking the RPC port
    but the routers are starting to take some heavy
    traffic. Looks like this one is going to be pretty
    bad.

    --
    ThunderBird. Nuff said.
    1. Re:Pretty Bad by technix4beos · · Score: 3, Insightful

      Speaking of routers...

      Am I correct in saying that a router can be used at home to prevent these kinds of attacks in the first place?

      With more families getting online and having multiple computers in a network, wouldn't it make sense to install a router that protects against the silly port attacks?

      I believe a router these days costs about $50 USD, so it's far cheaper to purchase one than to buy a software based "firewall" solution, that might be turned off by little johnny anyhow.

      --
      user@host$ diff /dev/urandom /dev/uspto
  2. The Department of Homeland Security? by Wacky_Wookie · · Score: 5, Insightful

    Sounds more like The Department of Homeland in-security :)

    Joking aside I find the US media's "fear hyping" to be outrageous.

    "It could happen to you" Is a major catch phrase for the US media, and they are not talking about winning the lottery.

  3. I feel bad for the Poor slob(s).... by curtisk · · Score: 4, Insightful
    ....that works at Dept. of Homeland Security whose entire job will consists of keeping up to date with MS security advisories....

    wonder how they (DoHS) are feeling about their OS investment already? :)

    --

    Sehr geehrter Toilettenbenutzer!

  4. Switch campaign kick-off by SgtChaireBourne · · Score: 5, Insightful
    One interesting thing that the security people mentioned, that the article doesn't, is that windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.
    A second interesting thing is why just this particular bug is getting the publicity. There's been no shortage of remote exploits for that product line, old or new, this year. Is it part of the new marketing campaign that's just kicking in?

    Along those lines, since most of the design flaws are downplayed for weeks/months/years after exploits are found. Apple, RedHat and SuSe have a good lead time to prepare switch campaigns.

    I'm sure a dollar value can be put on the peace of mind and increase productivity that goes with moving to a better workstation platform.

    --
    Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
  5. Again.. by NetJunkie · · Score: 4, Insightful

    Patch your stuff and for goodness sake put up a firewall! RPC port open to the word? Why?!

  6. Govt should use its own OS. by sniggly · · Score: 5, Insightful

    It's time the government started to realize its own linux version has been developed to preclude vulnerabilities such as these that are caused mostly by sloppy programming.

    --
    Of those to whom much is given, much is required.
  7. Well engineered worms by Catskul · · Score: 5, Insightful
    I think it is going to be worse if someone actually has an objective (ie terrorists) because all of the worms I have heard of have been fairly poorly engineered.

    A well engineered worm would:

    Work on many different system.

    Use more than one security flaw. (spread by email, + kazaa, + IE hole, + sendmail hole)

    Patch that flaw once compromised, and open a separate hole

    Have at least different attack modes (slow and quiet and local sub nets, fast and hard and whole internet)

    Build up to critical mass before initiating fast attack mode.

    Attempt to hide itself from scans. (maybe randomly stop functioning for a while to offer false sense of security)

    Adjust its fingerprint so that it isn't simple to find computers which have the worm (use different ports, different protocols, send some different data when filling buffers etc)

    Offer a payload that makes patching difficult, goes after security websites that often offer patches, targets financial institutions, etc.

    Patch other programs on the system, back to previous insecure versions.

    And that's just off the top of my head. If someone really is sitting down and thinking about this, Im sure they could come up with much more dangerous specifications.

    I think someone should be writing a competing worm that patches all vulnerable systems, just in case this breaks out in to a chrisis.

    --

    Im not here now... Im out KILLING pepperoni
    1. Re:Well engineered worms by digitalunity · · Score: 4, Insightful

      In case you hadn't noticed, few virus writers are developing malicious code. It would appear that most of the internet worms of late are fairly innocuous, and their only design feature is the ability to replicate itself. However, there are others that send random files by e-mail to random people. That was kind of funny. No, if someone wanted to write some really mean code, they'd set up a worm that would find and infect at least a few hosts, and then destroy it's host OS. It wouldn't spread as fast as non-destructive worms, but it'd cause a lot of trouble for a lot of people.

      Personally, this RPC bug doesn't really get me thinking much. Anyone stupid enough to allow incoming RPC packets from the internet deserves what they've got coming. Now, on the otherhand, if a live exploit for BGP4 was ever discovered and published, we'd be in a world of hurt for quite a while.

      --
      You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
    2. Re:Well engineered worms by Finni · · Score: 4, Insightful
      Anyone stupid enough to allow incoming RPC packets from the internet deserves what they've got coming.

      True, but that doesn't cover any/all cases at all. Businesses with Windows servers can't turn off RPC (and sometimes can't turn off DCOM) on their users' laptops, right? So a laptop user goes home and uses dialup, or he has broadband and no router and gets infected. No he comes back into work the next day. The MS-supplied patch doesn't work in all cases, so even if they have a good patching system and a great firewall, they've still got a compromised, infectious system on their LAN. Mobile-user VPN has the same risks.

    3. Re:Well engineered worms by WhiteWolf666 · · Score: 5, Insightful

      Or, maybe, create a set of worms

      IANAWC (I am not a worm creator), but, you could have all kinds of worms running around. One that attacked on a large scale, seeking to infect as many systems as possible. Then it would download extra components as needed, but otherwise sit dormant, awaiting the final component. One that sought out unpatched, vulernable, Windows 2000/XP boxes, to use as a permanent base of operations (This one could be BIG). One that sought out infected systems, and modified the worm continuously, to confuse scanners. Any maybe, you could even have the dang things self-destruct? I don't know much about this, but you can setup applications on a Windows 2000/XP box that won't run until the next realmode boot, right? If it installs itself as a system file, scanners won't be able to remove it unless they run before the system is fully booted up. But if your worm runs the next time pre-bootup system maintenance is scheduled, and runs before any other task, you could have it eat the harddrive.

      If one were to prepare this sort of thing ahead of time, and released the worms one by one, most of the security community wouldn't anticipate the attack. Especially if they were all encrypted, and you released them in a quick enough period such that it would not be obviously that they were working together until after the fact.

      The other thing I wonder is why worms haven't targeted the infrastructure of weak networks. Like that worm that was discovered on the comcast dns servers. If somewhere were to create something that attacked the Windows 2000/XP (or any other operating system, but Windows seems like it would be the most vulnerable) TCP/IP stack, and only attacked systems behind vulnerable routers, and then utilized the hacked TCP/IP stack and hacked routers to hide all of the traffic, it would be extremely hard for anyone to tell what had happened, right?

      Of course, all of the things I have just said won't work, as I've described them. My knowledge of this topic is just too limited to really make much sense, but my point is I don't think we have seen a coordinated effort to run multiple, smaller worms in concert. This way you can spread a rapid, smaller infection, and use it to pave the way for a much more deadly, and harder to remove infection.

      --
      WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
    4. Re:Well engineered worms by nat5an · · Score: 3, Insightful

      Well, admins can turn off RPC on their users' laptops. The average user probably has no need for this service to be running. Of course, you never know what Microsoft is using it for. You turn off the RPC service, and suddenly 10 unrelated things stop working. Such is the fun of being a Windows Admin (and I would know).

      --
      Head down, go to sleep to the rhythm of the war drums...
  8. Re:How big a threat is this? by los+furtive · · Score: 4, Insightful

    I agree with you. But if you have 128megs of ram (or even 64), I would strongly recommend upgrading to Windows 2000, for the stability alone. A P2 266/300/350 with Win2K is a fine machine.

    --

    I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.

  9. Port blocking by Gothmolly · · Score: 5, Insightful

    Is it me (insert tinfoil hat joke), or is anyone else disturbed by the increasing tendency of ISPs and vendors to say 'just block port xxx' on your network connection, as a response to problems? Is this one more step on the road of converting the Internet to simply an MSN-ified WWW? Where does the small, independent content creator turn as more and more barriers to market entry are enacted, either by FUDding ISPs, lobbying Congress, and blatant stupidity?

    --
    I want to delete my account but Slashdot doesn't allow it.
  10. Already hearing it as an excuse... by Satan's+Librarian · · Score: 3, Insightful
    For boxen being broken at ISP's. Interland trashed a rather important co-located server for us over the weekend, and blamed it on a "Worm" referencing this bug. AFAIK, no worm has yet been released, and certainly none was out then - anyone else been fed this kind of b.s.? Anyone heard of any truth to it at all?

    As far as DoHs getting in on the action - I think they'll cry wolf at anything to keep interest. The more afraid the public is on a daily basis, the more they are legitimized. I was appalled the other day to see this article on the front page a few days ago - no shit guys, thanks for the press release. Ya know what else? .COM stocks might not be the best investment if the company hasn't produced a product.

    Obviously this hole is a major one, but we've kinda known that unfirewalled Windows boxen on the net are a Bad Thing (tm). This hasn't changed, and it's not much more likely now for a worm to run rampant through everything that it was in the past - it'll happen, it'll suck, and everyone will do the same fire drill as every other time it happened. And a few, bright IT departments will switch to FreeBSD or similar for their external machines or put up a bloody firewall.

    --
    I write code.