Microsoft Identifies, Patches Another Critical RPC Hole

Dynamoo writes "Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code. In other words, this probably carries about the same risk as the well-documented RPC hole exploited by MSBlaster and Nachi. A Knowledgebase article is also available. Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations. Again. Shucks, we haven't even finished patching the RPC flaw yet." You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S. Update: 09/10 20:41 GMT by T : Reader AcquaCow suggests that administrators with multiple machines to patch visit Microsoft's Software Update Services (whitepaper), a tool for "managing and distributing critical Windows patches."

MS Software Update Services (SUS)

[AcquaCow]

MS has software available to patch vast numbers of machines from a central server.

Software Update Services:
http://www.microsoft.com/windows2000/wi ndowsupdate /sus/default.asp
SUS Deployment:
http://www.microsoft.com/windows2000/ windowsupdate /sus/susdeployment.asp

Re:MS Software Update Services (SUS)

[BlueAlien.Org]

What the hell are you talking about? You can visit Technet to download the patch without looking through firewall logs to see what exe was downloaded. The same switches for silent/no reboot STILL work for this patch just as they always have.

Try to research what you write before you go about spreading FUD about Microsoft's practices.

Re:MS Software Update Services (SUS)

[pe1chl]

There is a Windows 2000 downloads site but they provide very few fixes. Fortunately it turns out that the fix for this one is on that site and is working without the Internet link.
But before, the fixes downloaded from Windows Update were actually the same files (only with a signature) as those available on the downloads site, but there were many more fixes on Windows Update.
This fix seems to change that pattern.

Well, in fact about every 10th fix changes a pattern. The naming convention, the commandline flags supported, whatever, they change it all the time.

This MUST be to make life easier for the administrators!

Re:MS Software Update Services (SUS)

Subscribe to Microsofts alerts services e-mail list.

Download the full .exe at:
http://www.microsoft.com/technet/treeview/?ur l=/te chnet/security/bulletin/MS03-039.asp

Save them to a local harddrive in C:\patches\KB824146 along with the 3 files below.

Create two batch files, and a file called log.txt

I use the following batch files to patch 500+ workstations and it works for ALL patches I've ever needed to push including W2k SP4, NT4 SP6a, Internet explorer upgrades, Office patches, etc.

There are some requirements. You must have ADMIN rights to the remote machines. They must Be NT4, 2000, or XP workstations. You must be able to access the remote admin shares (\\PC\C$), and the users must not be LOCKED down. Some patches require deleting registry keys in RUNONCE or RUN. If your stations are very tight, this may not work. The service "Task Scheduler" must be running on the remote machines. This is installed with IE 5 and above. SOON comes from the NT resource kit. If you don't have it, replace the SOON command with AT which you should have, and change the 390 to a valid time such as 12:00.

The batch files assume all machines have Windows installed on the C:\ drive in particular directories. You may need to modify this.

Certain W2k patches require SP3 or above to be installed. If you install some of these patches on SP2 or below, some W2k stations will die.

Try this at your own risk:

---Begin file:dist.bat---
ECHO. > distlog.txt
for /f "tokens=1,2,3,4,5,6,7,8,9,10" %%i in (log.txt) do call distcmd.bat %%i %%j %%k %%l %%m %%n %%o %%p %%q %%r
pause
---End file:dist.bat---

---Begin file:distcmd.bat. Modify as needed.---
echo=off
echo %1 %2 %3 %4 %5 %6 %7 %8 %9 %10

REM Add your SERVERS to this list
REM Do not patch servers using this method.
@IF /I %1 == AXIS GOTO END

if not exist \\%1\c$\temp\ md \\%1\c$\temp >> logging.txt

@echo %1 >> logging.txt

if exist \\%1\c$\winnt\system32\ntkrnlpa.exe goto w2000
if exist \\%1\c$\windows\system32\ntoskrnl.exe goto xp

xcopy "WindowsNT4Workstation-KB824146-x86-ENU.EXE" \\%1\c$\temp\. /r/d >> logging.txt
soon \\%1 390 ""c:\temp\WindowsNT4Workstation-KB824146-x86-ENU.E XE"" -q -m -z >> logging.txt
goto end

:xp

xcopy WindowsXP-KB824146-x86-ENU.exe \\%1\c$\temp\. /r/d >> logging.txt
soon \\%1 390 ""c:\temp\WindowsXP-KB824146-x86-ENU.exe"" -q -m -z >> logging.txt
goto end

:w2000
xcopy Windows2000-KB824146-x86-ENU.exe \\%1\c$\temp\. /r/d >> logging.txt
soon \\%1 390 ""c:\temp\Windows2000-KB824146-x86-ENU.exe"" -q -m -z >> logging.txt
goto end :end
rem exit
---End file:distcmd.bat---
In the file named log.txt put in your machine names that you want to patch. Only patch Workstation using this technique.

---Begin file:log.txt---
MIS01
SHOP01
SALES01
---End file:log.txt---

This may seem like a pain in the but, however once you've got it working you can cut and paste this directory and make a few changes to push any patch that Microsoft releases. If the patch doesn't require -q -m -z, then use /q:a /r:n that covers 99% of them. Others will have the command lines in the Technet document.

All rights reserved, 2003 ACMENEWS.COM LLC

Re:jebus h flippin' christ

[grub]

Outlook and Exchange use TCP/135 to communicate. Not everyone uses a VPN to read their Exchange-served email when remote you know.

Re:Been there, done that...

[Col.+Klink+(retired)]

In some places, we actually test that all of our critical applications will continue to run after applying patches to the OS rather than just blindly applying every patch and hoping nothing breaks.

this one is also an RPC flaw

[pyros]

According to this release it is another RPC buffer exploit.

Re:Fine journalism

the worm crashed a Unix server.

It says, to be more precise, that the worm caused high volumes of network traffic causing the Unix server to malfunction. This wouldn't have happened had they not bridged the office network with the power station network. Guess what machines were on the office network and what operating system they were running and hence how the network was clogged in the first place.

Re:Been there, done that...

[EvilStein]

No, that's not the lesson. The lesson should be "Make www.microsoft.com/security" your homepage. :P

Windows Update can really break stuff. Example: Compaq Evo n600 laptops with our Windows 2000 build. That ATI driver that shows up in Windows Update causes a BSOD on restart. You have to revert to the previous version of the driver.

Running Windows Update and going click-happy can cause more harm than good sometimes.

Re:Patch unreliable?

[D3]

03-039 will overwrite 03-026 and make your machine appear to be vulnerable to Blaster when it really isn't. Read the release notes on 03-039.

From the horses mouth

[Stonent1]

This supersedes kb823980 which was the rpc patch from a few weeks ago. Basically a roll up. So if you haven't ran kb823980, you can run this and kill 2 birds with one stone.

Re:+5 Funny for the mods....

[Mr.+McGibby]

See: Metamoderation

Re:Been there, done that...

[afidel]

NT4-SP4, NT4-SP6, and about a dozen hotfixes half of which couldn't be rolled back. MS DOES release dodgy patches, about one a year, and a lot of the time they can't be undone so you have to ghost the drive and start all over.

Re:Wouldn't it be easier?

[stratjakt]

If your laptop is non-networked, then this is a non-issue. You wont be exploited via osmosis.

And if you want to shut off RPC, go to Control Panel - Administrative Tools - Services, and stop the Remote Procedure Call (RPC) service, and RPC Locator service.

And mods, quit moderating people up who don't know what in the blue hell they're talking about.

Re:Wouldn't it be easier?

[toddestan]

Have you ever gone into Control Panel and tried just that? By disabling that service, it breaks all kinds of stuff that has little to do with remote calls. If you want Windows to function at all, you must have the service running. It doesn't matter if the computer is hooked up to a network, or is completely isolated.

Software Update Services

[opiatepipedream]

I've personally used software update sevices on about 200 clients and found it to work quite effectively. I created a SUS server and then configured the clients by Kix script. The only catch was you couldn't use SUS for any os patches or service packs but not really a big deal. SUS is good also since you can decide which patches your clients pull from the server. If anyone has any interest on creating a server or would like to see the scripts I wrote to configure client machines I would be willing to donate it to anyone that needs it. Btw the script configures machines in an AD environment using LDAP and at this point is only configured for machines running 200 or xp. It also covers win2k sp1 & 2 being that it copies and installs and configures SUS on a per machine basis. Sp3 and later only need configuration.

Re:Wouldn't it be easier?

[mczak]

No, you can't disable RPC in w2k (well you can but almost nothing will run afterwards, not even the service manager which you need to get RPC working again, thank god regedit still runs...). Though I wouldn't call this a useless service, it is really needed by design. You can, however, easily disable DCOM (with w2k only sp3 or later) on your non-networked box, which should fix that RPC hole too if I read that advisory correctly (same workaround as with the last rpc vulnerability, the two bugs seem to be really almost exactly the same).

Re:Wouldn't it be easier?

[BrynM]

You are absolutely correct. Thank you. To clarify, I've been trying to turn RPC off since NT4. I can tell you firsthand that it's really bad juju to turn it off (though I still try to find a way to kill it and some other "necessary" services). You may not see the result immediately all of the time, but the problems still abound. Sure my isolated laptop should be safe from these attacks/exploits, but I want to turn RPC off altogether. It steals resources and can actually cause problems for a non-networked machine anyway. Print spool problems? Better make sure RPC is working right. Performance monitor problems? Same thing. User accounts acting funny at logon? Same thing.

Someone else compared it to 127.0.0.1 on a *nix box, but there's already a loopback interface in Windows. The RPC service was originally intended for remote administration. A better analogy would be SSH, but I don't have to run SSH under *nix, do I?

Re:BOHICA

[nstrom]

OT (and not trying to troll), but Windows Server 2003 surprisingly comes with pretty much every service disabled; you have to explicitly enable "server roles" to enable services like file sharing, VPN, HTTP, SMTP, etc.

I run Linux at home but work at a Microsoft shop, so I take what I get. I'm no Microsoft zealot, but it looks like things are shaping up a bit in Microsoft's latest generation of products. Or at least it looked that way until I found out about the new, another more different DCOM exploit.

Exploit by the end of the day?!?!?!

[djembe2k]

FYI: In an article at SecurityFocus, an "expert" says that:

hackers could launch attacks against unprotected systems as early as day's end. "It's going to be trivial," he said. "This is an instant replay of a few weeks ago."

And this post from BugTraq today seems also to suggest that there's no reason this won't be in the wild just about any minute.

Re:Todays /. Summary

[swb]

Desipte the PC radar reading you're having, in many European countries gypsies are a major pain in the ass, from a lying and stealing perspective -- which is why they still get shit on by most European police departments.

It's not an issue as much in the US, since we don't have Roma gypsy populations like they do in Europe (especially Eastern Europe). But we have had run-ins with "Irish Travelers" in the US who usually perpetrate a lot of common scams.

It's not like someone dreams these nasty things to say about other people up just to be nasty, they often have a very accurate basis in reality. Of course, this isn't PC to admit, but it is true.

Re:Been there, done that...

[Hecubas]

Yes, those were some doosies, but then again you're talking NT. However, I'm pretty sure MS Software Update Services (as in the package for sysadmins to distribute patches, as mentioned in the summary) does not automatically install Service Packs. I've got about 40 Windows 2000 workstations automatically updating with SUS and they are still on SP3. On top of being configured with SUS, you can control what patches get rolled out to your organization by manually approving the updates. Seems to work for those who like to test before rolling out changes.

--
hecubas

Re:Been there, done that...

[Battle_Ratt]

Sometimes it's not very obvious what is breaks. We lost a raid controler with the last one, and ended up thinking it was the HD's that failed and bought new ones. It wasn't until the new set of drives didn't work that we dug into the update issue. BTW, this was on one of our primary servers, and took considerable time to sort out with many people spinning their wheels. And no, we couldn't test it first, because not every company can afford to keep an extra 20k server lying around just in case microsoft decides to break a very obscure component driver.

Re:Been there, done that...

[mickwd]

So here we are, wondering why users won't keep up to date with security updates, and you call someone a dumbass just for trying to install some of those patches from Windows Update.

How are they supposed to know they're only supposed to download the "critical" ones? Not everyone who uses windows is a system admin - nor should they be.

Good job you don't work for me. Comments like this made at work would probably get you at least an unofficial verbal warning.

Perspective

[_Sprocket_]

Seems impressive that such a severe exploit has been in popular operating systems for many years - when was NT 4 released? 97?

Let's do some comparisons.

The last big Linux worm out in the wild was slapper. Slapper took advantage of a vulnerability in OpenSSL which was reported on 30 Jul 02. All previous versions of OpenSSL to that date are vulnerable. This includes the SSLeay library on which OpenSSL was based (as a side note - anything based on SSLeay code could also be vulnerable).

According to this version file it looks like SSLeay was first published 01 Apr 95. So using the same rough assumptions on the age of the vulnerable code base, both the Microsoft RPC and OpenSSL buffer overflow vulnerabilities were present for discovery and exploitation in the wild for seven years.

Of course, this is very rough. But it does add a bit of perspective.

If linux had 90+% of the desktop how long would it take for its remote exploits to be taken advantage of?

About how long it takes for them to be exploited now. This Linux marketshare argument tends to ignore the fact that there is already a healthy installation base of Linux servers and systems... and have been for years. And it ignores that Linux does, in fact, have its own history of exploits, worms, rootkits, and other assorted tales. This is not virgin territory to Linux. And the question is not "if".

I've mentioned before that the issue with worms and Windows versus Linux/Unix systems has more to do with architecture and management than market share. Although they are arguably related.

Linux and Unix environments just do not provide the fertile ground worms need to thrive. They have existed... gone through their brief growth... and then died. At least, they do now (nod to the infamous Morris worm). Part of that could be the Unix architecture - the ability to reliably patch and control a system. But a large portion of that is simply because the vast majority of these systems are properly managed.

If / when Linux gains more desktop marketshare, it is almost a given that it will present a more fertile target for malicious code. A lot of Linux architecture tends to lend itself to a less attractive virus haven than the current Windows standard. But desktops just don't get the same attention servers do. And there are, and will likely continue to be, vulnerabilities in the Linux world - no matter how quickly they are fixed. Popular desktops with the occasional exploit and a lack of attention to update them; a more fertile ground for malware.

Keep in mind, though, that this is not just an issue of desktops. Servers still count and are also affected by the likes of Nachi and Blaster (much to the suprise and chagrin of some of our admins).

iexplore.exe has stopped responding

[pommiekiwifruit]

End now? Wow that's sure reassuring to happen while you're installing a patch!

Also, the patches these days lie about their size - when they say 225K they mean just for the list of the files that they really need to download in part two - some patches have megabytes hiding away in "installing" instead of "downloading". And yes I do pay by the minute :-(

Re:cognitive dissonance

[md27]

Just like the last time people brought this up, it's because Microsoft has started using Akamai to cache all their data.

Re:Been there, done that...

Microsoft has gotten much better at not borking systems with patches.
For a home user, Windows Update works fine.

In the corporate setting, this is not hard either.

If you run Microsoft software, Then you need to have a patch deployment plan. Simple. If you do not, you are a hazard to society.

Here? I have a small test network set up using spare hardware and some vmware stations. Here, I will hammer out and watch for any serious software conflicts. It's also a good idea to watch mailing lists like NTBugTraq or Focus-MS, and look for anyone else having issues.
Drivers? I don't update them. If they work, and are stable, I don't touch them. My server does not need the latest video-driver performance. Unless I need something specific, I find a version that is stable, and stay with it. Most of my crashes over the years are *not* directly Microsoft's fault. It's shitty drivers.

Obviously no testing is perfect, short of having an economically-infeasible duplicate of your network. Thus enters Ghost.
Before deploying patches, I ghost machines. If there is a problem, POOF! 30 minutes later, my servers are recreated.

Critical patches go into a weekly update job, after testing for a few days.
Non-critical patches go into an update job that fires twice a month.

This, coupled with a firewalling policy that isn't completely brain-dead (Why is RPC coming in in the first place?), an intelligent policy for laptops (Company machines are patched and audited. Non-company machines can't connect to the network, thanks to 802.1x).

I have never been infected with Slammer.
I have never seen the likes of Blaster.
I won't have any problems with (insert_dumb_virus_name).

Thank you, and good night.

R

Re:BOHICA

[pebs]

how is this a troll? does someone not understand sed?

he is correctly pointing out that it is OpenBSD (not FreeBSD) who claims one remote root exploit in 7 years.

Cryptographic service preventing patch install

[hiroshi912681]

A few seconds after loading up the installer...

"Setup could not verify the integrity of the file Update.inf.
Make sure the Cryptographic service is running on this computer"

I had been getting this problem for a looong time, couldn't get windows update going, couldn't install the ms blaster security patch (without finding an alternative installer from the original security update)... I had searched countless sites on "fixes" that didn't apply to me. But, thankfully, after the whole ms blaster patch thing settled, a few more ppl like me have come out of the woodworks...

the fix that applied to me:

(The following is ONLY XP Professional - NOT XP Home Edition)

Well, this is going to happen only to a handful of you... I hope!

Without getting too "techie" on you, there is an issue for some Windows XP Professional users where the computers Software Restriction Policy for the Local Computer only allows "Local computer administrators" to select "trusted publishers". This is causing the failure....

This occurs whether the user installing the security patch is an Administrator or not!

This may mean nothing to you and it does not have too.

Here is the work around:

Click Start menu, and then click the Run icon.
In the small box that Opens, type: gpedit.msc then click the OK button.
In the new windows that opens you will see a menu on the left hand side.
Under Computer Configuration you will see a folder called Windows Settings - double click it.
The new options that appear directly below include Security Settings - double click it.
The new options that appear directly below include Software
Restriction Policies - double click it.
Now on the right hand side of the window you will see an object called Trusted Publishers - double click it and a new window appears.

In this window change the setting under Allow the following users to select trusted publishers to the default which should be End Users.

for even more fixes (in case it didn't work for you), check out the site I found it off: http://www.updatexp.com/cryptographic-service.html

thanks updatexp =D I was finally able to install 37 critical security updates... scary, eh? Thank goodness for routers/firewalls =) I'd have been doomed, otherwise.

Re:BOHICA

[afidel]

You and the others are correct it was OpenBSD with the one exploit record, though I don't believe Free has had many more.

Scripts?

[mulhall]

What did you do that can't be done with GPO?

I find it's controls are not exactly granular in their depth.