HomeSec Warns Again About Microsoft's Insecurity

cbrandtbuffalo writes "The Department of Homeland Security has posted this advisory about an impending attack on MS systems. This RPC attack has already been seen in some localized systems, but may spread as unpatched computers are exploited. Some of the national news like CNN are running stories too."

How big a threat is this?

[mjmalone]

The security people at my office were talking about this vulnerability yesterday in our monthly meeting, they were saying it is likely going to be worse than slammer/code red/etc (which the article seems to back up)... Do you guys think this is that serious of a threat? A lot of what they were saying sounded like worst case scenario kind of stuff, hopefully it will not be that large of an issue. One interesting thing that the security people mentioned, that the article doesn't, is that windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.

Re:How big a threat is this?

[rde]

windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.#

So upgrade to Windows XP, or the 73rr0r1575 \/\/1ll win.

Re:How big a threat is this?

[tlovie]

I'm not sure if Windows98/se is vulnerable since microsoft's knowledge base specifically states that Windows ME is not vulnerable. The vulnerability is based on a buffer overflow of the RPC service. Does windows 95/98 even offer the RPC service?

Re:How big a threat is this?

[diersing]

It could be bad if the Windows admins out there aren't paying attention. But, most sysadmins in MS shops realize the frequency of these kind of patches and are good about applying them timely. This was released over 10 days ago (I got notified on the 19th), and have already applied it to the 350+ MS servers on our network. If the lazy admin has configured auto-update they are protected as well.

The primary vehicle for spreading this type of exploit, are all the MS clients of broadband users, many untechy PC owners will be to blame if this things hits hard. And yes, I think it could be worst then slammer/code red because its RPC. Pretty much all the MS client out there are going to have it running (versus an IIS exploit).

Re:How big a threat is this?

[gregmac]

One interesting thing that the security people mentioned, that the article doesn't, is that windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.

If this is true, Microsoft doesn't even acknowledge that it affects Windows98. It's one thing to not release a patch for an affected OS, it's quite another to not mention that it's affected.

Re:How big a threat is this?

[mark_lybarger]

maybe you were going for +1 phunny, but i'll swing anyway.

Windows XP isn't really a upgrade for Win98 machines. Win 98 was delivered on PII 266mhz, 32/64MB RAM, 2-4MB PCI Video systems. I would hate to try anything on a system like that with XP. Sure the CPU could handle it, but the memory would need to be seriously upgraded. There's also the issue regarding device drivers. There's a LOT of hardware out from that time period that doesn't have XP drivers.

Re:How big a threat is this?

[saskwach]

Someone did their reporting wrong. The huge gaping flaw that was announced recently pertained only to computers with the NT kernel (WinNT, Win2000, WinServ2003, WinXP). This vulnerability does NOT affect 98/98SE/ME/95/3.1/whathaveyou.

Re:How big a threat is this?

[los+furtive]

I agree with you. But if you have 128megs of ram (or even 64), I would strongly recommend upgrading to Windows 2000, for the stability alone. A P2 266/300/350 with Win2K is a fine machine.

Re:How big a threat is this?

[Lumpy]

and the fun part is that cince corperate IT is so damn slow, current IT policy is "NOTHING HIGHER THAN SP3 on W2K machines."

so that makes all "OFFICIAL" machines in corperate will be hosed as usual when these things come through... Just like the stupid policy of no virus updates from anywher but the corperate server which is always at least 4-5 behind the software companies site. (Another policy I ignore.. I keep everything at the latest DAT)

Re:How big a threat is this?

[kikta]

Pretty sure they don't. I believe this is something only on the NT side of the house.

Microsoft really did it this time..

[Tirel]

This is turning out to be a huge problem, we got the exploit a bit *cough*early*cough* and by simply joining a channel on IRC you get a handful of IPs, of which at least a few are exploitable. And then they wonder why there are a thousands of ddos zombie machines running windows!

But there's another problem, a lot of people are starting to distrust microsoft and are turning off the automatic update / not getting service packs instead of switching to another operating system.

Re:Microsoft really did it this time..

[BWJones]

But there's another problem, a lot of people are starting to distrust microsoft and are turning off the automatic update / not getting service packs instead of switching to another operating system.

Shoot, this was a problem years ago leading me to never enable automatic updates after more than one Windows machine was completely FUBAR'ed after an update. We fought with security issues on Windows for a while, then dealt with the expense and hassle of IRIX (although IRIX is impressively stable), went back to Windows due to the cost and then simply migrated our servers to Apache on OS X. Safe, simple, stable, affordable and secure.

How long?

[Voltas]

2 years / millions of dollars and the Home Land Security people tell me that people like to attack Microsoft Products.

I'm glad I pay all those taxs!

Re:How long?

[rusty0101]

And what's the OS Vendor of choice for the Department of Homeland Security? I seem to recall a story or something about it.

Anyone want to talk to their representative or senators about that decision?

Re:How long?

[Jonsey]

I'm glad I pay all those taxs!

And I'm glad our "edjacashun" budget keeps rising to make the US more smarterer.

Re:How long?

[sniggly]

The sad part is that the NSA itself already was far ahead developing a secure OS that would do just fine for the dept of HS. Instead tax monies go to bill gates and his dancing monkeys.

Pretty Bad

[the.jedi]

My friend works at MIT's network security.
From wednesday to thursday they're compromise rate
went from 3 computers an hour to 30.
Right now they're just blocking the RPC port
but the routers are starting to take some heavy
traffic. Looks like this one is going to be pretty
bad.

Re:Pretty Bad

[tarquin_fim_bim]

"Which port is it that you need to block?"

To make windows secure?

All of them.

Re:Pretty Bad

[pascalb3]

Check out CERT, a good site for this stuff. Here's their warning (more info than DHS). A list of what they have to block:
135/TCP
135/UDP
139/TCP
139/UDP
445/TC P
445/UDP

Also, it appears 4444 is being used,

Security Focus's incidentmailing list is also enlightening. And for good measure, a posting on the ineffectiveness one of MS's patch (as of 29 Jul).

Re:Pretty Bad

[Troed]

Mod parent down. Bugtraq posting listing several other attack vectors:

• ncacn_ip_tcp : TCP port 135
• ncadg_ip_udp : UDP port 135
• ncacn_np : \pipe\epmapper, normally accessible via SMB null session on TCP ports 139 and 445
• ncacn_http : if active, listening on TCP port 593.
• 
  ... and finally, even port 80 might be used if ncacn_http is active, and COM Internet Services is
  installed and enabled.
  

Re:Pretty Bad

[technix4beos]

Speaking of routers...

Am I correct in saying that a router can be used at home to prevent these kinds of attacks in the first place?

With more families getting online and having multiple computers in a network, wouldn't it make sense to install a router that protects against the silly port attacks?

I believe a router these days costs about $50 USD, so it's far cheaper to purchase one than to buy a software based "firewall" solution, that might be turned off by little johnny anyhow.

Re:Pretty Bad

[I8TheWorm]

Actually, 135, 139, and 445.

NetBEUI = Port 135 netBEUI is only required when you have non-Windows 2000 clients to support. However, NetBIOS over TCP/IP prevents any need for NetBEUI. These days NetBEUI is the usual answer for connection problems that turn out to be name resolution or NetBIOS configuration problems. The other ports listed, 139 and 445, are used for Server Message Block (which with Win2000 can run directly over TCP/IP rather than needing to run on top of NetBIOS) respectively. SMB is a file sharing protocol used in Windows. The attempt hits 445, and if it's succesful, it sends an RST to 139 (if NetBIOS is installed, otherwise 139 is never used). If there's no response from 445, it continues the SMB session over 139.

Ugh.

[JohnGrahamCumming]

Could we not go around referring to The Department of Homeland Security as HomeSec? The last thing we need is /. popularizing a cool sounding name for this behemoth.

If we need to refer to it then use the initial letters of its name... DoHs.

Somehow appropriate when they put out warnings like the last one.

John.

Re:Ugh.

[glwtta]

I just tend to call it MiniPax - is that better?

The Department of Homeland Security?

[Wacky_Wookie]

Sounds more like The Department of Homeland in-security :)

Joking aside I find the US media's "fear hyping" to be outrageous.

"It could happen to you" Is a major catch phrase for the US media, and they are not talking about winning the lottery.

They should know!

[jocknerd]

After all, they're giving Microsoft $90 million to run their computers.

I feel bad for the Poor slob(s)....

[curtisk]

....that works at Dept. of Homeland Security whose entire job will consists of keeping up to date with MS security advisories....

wonder how they (DoHS) are feeling about their OS investment already? :)

Re:Now if we can get them to arrest

[Zemran]

The whole Microsoft staff end up in Gauntanamo bay without trail or legal representation :) Seems fair to me...

windows at the office??

[chef_raekwon]

i could have sworn that 2 weeks ago, here on this very same slashdot....there was a story about HomeLand Security securing a very large purchase from Microsoft....aka 100 million, or some outrageous number like that..

isn't this a bit irresponsible of them, now that they are declaring Windows a vulnerability?

Hilarious!

[Wilersh]

Microsoft is now officially a threat to Homeland Security. Maybe George should drop some bombs on Redmond! We know where they are and they keep putting out a product that threatens our security. Oh wait, the government saw fit to give them a slap on the wrist and turn around and contracted even more unsafe software from them. They'll undoubtedly be mentioned in future hindsight publications from congress but on blanked out pages for national security reasons. That's what we do for "friends".

Ugh.

Wilersh

Color scale?

[Elendil]

On the DHS alert color code, blue means "guarded", just one notch lower than the alert level the USA have been living in for the last few months (with occasional orange flares). Should this color be reconsidered in sight of the well known Blue Screen of Death?

Switch campaign kick-off

[SgtChaireBourne]

One interesting thing that the security people mentioned, that the article doesn't, is that windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.

A second interesting thing is why just this particular bug is getting the publicity. There's been no shortage of remote exploits for that product line, old or new, this year. Is it part of the new marketing campaign that's just kicking in?

Along those lines, since most of the design flaws are downplayed for weeks/months/years after exploits are found. Apple, RedHat and SuSe have a good lead time to prepare switch campaigns.

I'm sure a dollar value can be put on the peace of mind and increase productivity that goes with moving to a better workstation platform.

Again..

[NetJunkie]

Patch your stuff and for goodness sake put up a firewall! RPC port open to the word? Why?!

Re:Again..

[White+Roses]

RPC port open to the word? Why?!

So it can be saved and get into heaven. Oh, you mean world.

Govt should use its own OS.

[sniggly]

It's time the government started to realize its own linux version has been developed to preclude vulnerabilities such as these that are caused mostly by sloppy programming.

Well engineered worms

[Catskul]

I think it is going to be worse if someone actually has an objective (ie terrorists) because all of the worms I have heard of have been fairly poorly engineered.

A well engineered worm would:

Work on many different system.

Use more than one security flaw. (spread by email, + kazaa, + IE hole, + sendmail hole)

Patch that flaw once compromised, and open a separate hole

Have at least different attack modes (slow and quiet and local sub nets, fast and hard and whole internet)

Build up to critical mass before initiating fast attack mode.

Attempt to hide itself from scans. (maybe randomly stop functioning for a while to offer false sense of security)

Adjust its fingerprint so that it isn't simple to find computers which have the worm (use different ports, different protocols, send some different data when filling buffers etc)

Offer a payload that makes patching difficult, goes after security websites that often offer patches, targets financial institutions, etc.

Patch other programs on the system, back to previous insecure versions.

And that's just off the top of my head. If someone really is sitting down and thinking about this, Im sure they could come up with much more dangerous specifications.

I think someone should be writing a competing worm that patches all vulnerable systems, just in case this breaks out in to a chrisis.

Re:Well engineered worms

[digitalunity]

In case you hadn't noticed, few virus writers are developing malicious code. It would appear that most of the internet worms of late are fairly innocuous, and their only design feature is the ability to replicate itself. However, there are others that send random files by e-mail to random people. That was kind of funny. No, if someone wanted to write some really mean code, they'd set up a worm that would find and infect at least a few hosts, and then destroy it's host OS. It wouldn't spread as fast as non-destructive worms, but it'd cause a lot of trouble for a lot of people.

Personally, this RPC bug doesn't really get me thinking much. Anyone stupid enough to allow incoming RPC packets from the internet deserves what they've got coming. Now, on the otherhand, if a live exploit for BGP4 was ever discovered and published, we'd be in a world of hurt for quite a while.

Re:Well engineered worms

[Finni]

Anyone stupid enough to allow incoming RPC packets from the internet deserves what they've got coming.

True, but that doesn't cover any/all cases at all. Businesses with Windows servers can't turn off RPC (and sometimes can't turn off DCOM) on their users' laptops, right? So a laptop user goes home and uses dialup, or he has broadband and no router and gets infected. No he comes back into work the next day. The MS-supplied patch doesn't work in all cases, so even if they have a good patching system and a great firewall, they've still got a compromised, infectious system on their LAN. Mobile-user VPN has the same risks.

Re:Well engineered worms

[hey]

Thanks for the tips ;-)

Yeah, I like the idea of changing DLLs on a system back to insecure versions and (of course) keeping the Add/Remove Programs list saying they patches have been applied. Needless to say this would be other worms/viruses would get in further making diagnosing more difficult.

If we want to see what nasty viruses do we need only look at nature. For example, AIDS (or the HIV virus if you want to be exact) attacks the immune system -- the part of the body that fights viruses. People with AIDS then die with opportunistic viruses, like pneumonia, take advantage of the situation. If you wrote a computer virus that only attacked the immune system of the net it would be quite a sight to see.

• Launch DDOS attached against Windows Update, Symantec, Norton, CERT websites
• Make the Windows update agent think all is well but to the user appear to functioning properly
• Likewise neuter virus checking programs by say altering their .EXE's to check for a different .DAT file. If the user can manage to get a current .DAT file he replace one that the program isn't looking at :-)

Re:Well engineered worms

[WhiteWolf666]

Or, maybe, create a set of worms

IANAWC (I am not a worm creator), but, you could have all kinds of worms running around. One that attacked on a large scale, seeking to infect as many systems as possible. Then it would download extra components as needed, but otherwise sit dormant, awaiting the final component. One that sought out unpatched, vulernable, Windows 2000/XP boxes, to use as a permanent base of operations (This one could be BIG). One that sought out infected systems, and modified the worm continuously, to confuse scanners. Any maybe, you could even have the dang things self-destruct? I don't know much about this, but you can setup applications on a Windows 2000/XP box that won't run until the next realmode boot, right? If it installs itself as a system file, scanners won't be able to remove it unless they run before the system is fully booted up. But if your worm runs the next time pre-bootup system maintenance is scheduled, and runs before any other task, you could have it eat the harddrive.

If one were to prepare this sort of thing ahead of time, and released the worms one by one, most of the security community wouldn't anticipate the attack. Especially if they were all encrypted, and you released them in a quick enough period such that it would not be obviously that they were working together until after the fact.

The other thing I wonder is why worms haven't targeted the infrastructure of weak networks. Like that worm that was discovered on the comcast dns servers. If somewhere were to create something that attacked the Windows 2000/XP (or any other operating system, but Windows seems like it would be the most vulnerable) TCP/IP stack, and only attacked systems behind vulnerable routers, and then utilized the hacked TCP/IP stack and hacked routers to hide all of the traffic, it would be extremely hard for anyone to tell what had happened, right?

Of course, all of the things I have just said won't work, as I've described them. My knowledge of this topic is just too limited to really make much sense, but my point is I don't think we have seen a coordinated effort to run multiple, smaller worms in concert. This way you can spread a rapid, smaller infection, and use it to pave the way for a much more deadly, and harder to remove infection.

Re:Well engineered worms

[Finni]

No. This has nothing to do with forced upgrades, because

1. They made patches for this covering all the way back to NT 4.0

2. They don't charge for these patches.

3. The bloody patch doesn't work.

Re:Well engineered worms

[nat5an]

Well, admins can turn off RPC on their users' laptops. The average user probably has no need for this service to be running. Of course, you never know what Microsoft is using it for. You turn off the RPC service, and suddenly 10 unrelated things stop working. Such is the fun of being a Windows Admin (and I would know).

Re:Well engineered worms

[johnnyb]

Actually, destroying the whole OS isn't as bad as you can get. Imagine if there were a worm packed with a payload like CPUburn! Or if it had drivers which hosed hardware. Especially if it was set to go off in the middle of the night, you could actually have a virus which inflicted hardware damage.

HomeSec. Ingsoc. MiniPax. Double-plus good.

[thelandp]

The name "HomeSec" reminds me of a few similar terms from George Orwell's important (and never more appropriate) book, 1984.

Most government departments actually are designed to achieve the opposite of their names. For example, the "Department of Homeland Security" is in fact designed to control the level of insecurity that people feel. Likewise, the ministry of defence is really about offence, and in 1984 the Ministry of Information is about disinformation and so on.

In the book, the language was controlled to the point of creating new terms like IngSoc, MiniPax (ministry of peace, really designed to perpetuate war), and Double-plus good.

The whole point here is to justify the actions of the government. Because it becomes alot easier to justify removing civil rights when there is the perceived threat of some common enemy.

No patch for Win98/SE?

[shunnicutt]

This suggests a new marketing slogan:

"If you don't upgrade to Windows XP, then the terrorists have already won!"

That's not true

[TheConfusedOne]

"Which port is it that you need to block?"

To make windows secure?

All of them.

You only have to block the port where the power cord goes into the computer. :-D

Linux Users?

[Chibi+Merrow]

I'm a tech on a Windows network for the local government here and we immediately disable Automatic updates on machines now. Lord knows it's not because we're Linux users (I'm the only one) but because the updates all too often BREAK things that were already working.

google is fun

[sniggly]

Concidence or not? google news' primary link to this story points to the register's article about this vulnerability. In their best sour Brit register tradition theyre none too congratulatory about "free patches". Does bandwidth cost money?

WoMD?

[vgaphil]

Windows of Mass Destruction?

Re:how long has the patch been available?

[Rogerborg]

Jeez, you Microserf zealots are getting irrational and touchy. Back off man, that's our shtick. ;-P

Security

[atcurtis]

To make your computer truely secure, follow these simple steps:

1. Get a decent firewall
   
2. Configure it to deny everything except the ports you really need.
   
3. Unplug any conputer with really sensitive data from the network
   
4. In fact, unplug it from the wall power socket
   
5. Heck with it, it's still vulnerable from someone at the console - encase it in concrete
   
6. Cover the concrete block with copper sheeting to prevent against Echelon
   
7. Cover it with lead plate just to be safe from X-Rays.
   
8. Put it on a back of a trailer and tow it into a deep mine shaft. Salt mines go pretty deep.
   
9. More concrete please!
   
10. Use a tactical device to ensure that access to the bottom of the mine is difficult.
    

Should be truely secure... But for the overtly paranoid, concider dropping the planet into your local black hole. Please note that there may be information leakage as any entropy is represented on the black hole's event horizon.

Not practical... But fun.

It's all right

[Rogerborg]

"Based on this notification, no change to the Homeland Security Advisory System (HSAS) is anticipated; the current HSAS level is YELLOW."

Hasn't it been yellow for like ever? I think they just can't figure out how to change the bulb.

Slightly more seriously, are we all comfortable with the idea that the Vaterland Security Advisory System is now here to stay, and that it's now featured in contexts where the words "external" or "terrorists" don't appear? That Homeland Security bulletins, much like the "troops killed in Iraq" daily scorecard, are now routine routine occurances?

I've just had a kid. When he starts asking what the HSAS is, what do I tell him? "We're at War, junior. We've always been at War. Terrorists, drug barons, organized criminals, religious extremists, crackers, hackers, commies, arabs, they're all out to get us, and it's important to know just how scared the government wants us to be that we're going to die today."

Nice world he's going to grow up in.

Port blocking

[Gothmolly]

Is it me (insert tinfoil hat joke), or is anyone else disturbed by the increasing tendency of ISPs and vendors to say 'just block port xxx' on your network connection, as a response to problems? Is this one more step on the road of converting the Internet to simply an MSN-ified WWW? Where does the small, independent content creator turn as more and more barriers to market entry are enacted, either by FUDding ISPs, lobbying Congress, and blatant stupidity?

Fixes

[DanV]

If I understand right, 4444 is the port the exploit for the DCOM bug connects to.
I updated all my systems,and firewalled 135/139/445(UDP and TCP) and 4444(TCP).
I know I am gonna get modded down for this,but if you dont have already, I suggest you fix this ASAP.
You can get the fix from here for windows 2000, and here for windows xp.

The exploit has it in the code:

target_ip.sin_port = htons(4444);

Also, notice the comment about the shell code:
/* port 4444 bindshell */

Dan
Security consultant
ClickNews

Already hearing it as an excuse...

[Satan's+Librarian]

For boxen being broken at ISP's. Interland trashed a rather important co-located server for us over the weekend, and blamed it on a "Worm" referencing this bug. AFAIK, no worm has yet been released, and certainly none was out then - anyone else been fed this kind of b.s.? Anyone heard of any truth to it at all?

As far as DoHs getting in on the action - I think they'll cry wolf at anything to keep interest. The more afraid the public is on a daily basis, the more they are legitimized. I was appalled the other day to see this article on the front page a few days ago - no shit guys, thanks for the press release. Ya know what else? .COM stocks might not be the best investment if the company hasn't produced a product.

Obviously this hole is a major one, but we've kinda known that unfirewalled Windows boxen on the net are a Bad Thing (tm). This hasn't changed, and it's not much more likely now for a worm to run rampant through everything that it was in the past - it'll happen, it'll suck, and everyone will do the same fire drill as every other time it happened. And a few, bright IT departments will switch to FreeBSD or similar for their external machines or put up a bloody firewall.

Re:Port/Process utility for Windows?

[gregarican]

Search for a utility called FPort. It will map out all of the active PID's with the TCP/UDP port and associated process. Some processes can hide themselves through rundll32.exe (Win9x) or svchost.exe (WinNT/2K/XP), however.

But you can get an idea about what ports are sitting out there either listening or actively transferring.