Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Identifies, Patches Another Critical RPC Hole

Posted by timothy on from the capn-we-need-more-glue-down-here dept.

Dynamoo writes "Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code. In other words, this probably carries about the same risk as the well-documented RPC hole exploited by MSBlaster and Nachi. A Knowledgebase article is also available. Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations. Again. Shucks, we haven't even finished patching the RPC flaw yet." You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S. Update: 09/10 20:41 GMT by T : Reader AcquaCow suggests that administrators with multiple machines to patch visit Microsoft's Software Update Services (whitepaper), a tool for "managing and distributing critical Windows patches."

11 of 604 comments (clear)

  1. Re:jebus h flippin' christ by grub · · Score: 4, Informative


    Outlook and Exchange use TCP/135 to communicate. Not everyone uses a VPN to read their Exchange-served email when remote you know.

    --
    Trolling is a art,
  2. Re:Been there, done that... by Col.+Klink+(retired) · · Score: 5, Informative

    In some places, we actually test that all of our critical applications will continue to run after applying patches to the OS rather than just blindly applying every patch and hoping nothing breaks.

    --

    -- Don't Tase me, bro!

  3. Re:Fine journalism by Anonymous Coward · · Score: 5, Informative
    the worm crashed a Unix server.
    It says, to be more precise, that the worm caused high volumes of network traffic causing the Unix server to malfunction. This wouldn't have happened had they not bridged the office network with the power station network. Guess what machines were on the office network and what operating system they were running and hence how the network was clogged in the first place.
  4. Re:Been there, done that... by EvilStein · · Score: 4, Informative

    No, that's not the lesson. The lesson should be "Make www.microsoft.com/security" your homepage. :P

    Windows Update can really break stuff. Example: Compaq Evo n600 laptops with our Windows 2000 build. That ATI driver that shows up in Windows Update causes a BSOD on restart. You have to revert to the previous version of the driver.

    Running Windows Update and going click-happy can cause more harm than good sometimes.

  5. Re:Patch unreliable? by D3 · · Score: 4, Informative

    03-039 will overwrite 03-026 and make your machine appear to be vulnerable to Blaster when it really isn't. Read the release notes on 03-039.

    --
    Do really dense people warp space more than others?
  6. From the horses mouth by Stonent1 · · Score: 4, Informative

    This supersedes kb823980 which was the rpc patch from a few weeks ago. Basically a roll up. So if you haven't ran kb823980, you can run this and kill 2 birds with one stone.

  7. Re:Been there, done that... by afidel · · Score: 4, Informative

    NT4-SP4, NT4-SP6, and about a dozen hotfixes half of which couldn't be rolled back. MS DOES release dodgy patches, about one a year, and a lot of the time they can't be undone so you have to ghost the drive and start all over.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  8. Software Update Services by opiatepipedream · · Score: 4, Informative

    I've personally used software update sevices on about 200 clients and found it to work quite effectively. I created a SUS server and then configured the clients by Kix script. The only catch was you couldn't use SUS for any os patches or service packs but not really a big deal. SUS is good also since you can decide which patches your clients pull from the server. If anyone has any interest on creating a server or would like to see the scripts I wrote to configure client machines I would be willing to donate it to anyone that needs it. Btw the script configures machines in an AD environment using LDAP and at this point is only configured for machines running 200 or xp. It also covers win2k sp1 & 2 being that it copies and installs and configures SUS on a per machine basis. Sp3 and later only need configuration.

  9. Exploit by the end of the day?!?!?! by djembe2k · · Score: 5, Informative
    FYI: In an article at SecurityFocus, an "expert" says that:
    hackers could launch attacks against unprotected systems as early as day's end. "It's going to be trivial," he said. "This is an instant replay of a few weeks ago."
    And this post from BugTraq today seems also to suggest that there's no reason this won't be in the wild just about any minute.
  10. Re:Been there, done that... by Hecubas · · Score: 4, Informative

    Yes, those were some doosies, but then again you're talking NT. However, I'm pretty sure MS Software Update Services (as in the package for sysadmins to distribute patches, as mentioned in the summary) does not automatically install Service Packs. I've got about 40 Windows 2000 workstations automatically updating with SUS and they are still on SP3. On top of being configured with SUS, you can control what patches get rolled out to your organization by manually approving the updates. Seems to work for those who like to test before rolling out changes.

    --
    hecubas

    --
    Hecubas
  11. Perspective by _Sprocket_ · · Score: 4, Informative


    Seems impressive that such a severe exploit has been in popular operating systems for many years - when was NT 4 released? 97?

    Let's do some comparisons.

    The last big Linux worm out in the wild was slapper. Slapper took advantage of a vulnerability in OpenSSL which was reported on 30 Jul 02. All previous versions of OpenSSL to that date are vulnerable. This includes the SSLeay library on which OpenSSL was based (as a side note - anything based on SSLeay code could also be vulnerable).

    According to this version file it looks like SSLeay was first published 01 Apr 95. So using the same rough assumptions on the age of the vulnerable code base, both the Microsoft RPC and OpenSSL buffer overflow vulnerabilities were present for discovery and exploitation in the wild for seven years.

    Of course, this is very rough. But it does add a bit of perspective.


    If linux had 90+% of the desktop how long would it take for its remote exploits to be taken advantage of?

    About how long it takes for them to be exploited now. This Linux marketshare argument tends to ignore the fact that there is already a healthy installation base of Linux servers and systems... and have been for years. And it ignores that Linux does, in fact, have its own history of exploits, worms, rootkits, and other assorted tales. This is not virgin territory to Linux. And the question is not "if".

    I've mentioned before that the issue with worms and Windows versus Linux/Unix systems has more to do with architecture and management than market share. Although they are arguably related.

    Linux and Unix environments just do not provide the fertile ground worms need to thrive. They have existed... gone through their brief growth... and then died. At least, they do now (nod to the infamous Morris worm). Part of that could be the Unix architecture - the ability to reliably patch and control a system. But a large portion of that is simply because the vast majority of these systems are properly managed.

    If / when Linux gains more desktop marketshare, it is almost a given that it will present a more fertile target for malicious code. A lot of Linux architecture tends to lend itself to a less attractive virus haven than the current Windows standard. But desktops just don't get the same attention servers do. And there are, and will likely continue to be, vulnerabilities in the Linux world - no matter how quickly they are fixed. Popular desktops with the occasional exploit and a lack of attention to update them; a more fertile ground for malware.

    Keep in mind, though, that this is not just an issue of desktops. Servers still count and are also affected by the likes of Nachi and Blaster (much to the suprise and chagrin of some of our admins).