Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Identifies, Patches Another Critical RPC Hole

Posted by timothy on from the capn-we-need-more-glue-down-here dept.

Dynamoo writes "Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code. In other words, this probably carries about the same risk as the well-documented RPC hole exploited by MSBlaster and Nachi. A Knowledgebase article is also available. Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations. Again. Shucks, we haven't even finished patching the RPC flaw yet." You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S. Update: 09/10 20:41 GMT by T : Reader AcquaCow suggests that administrators with multiple machines to patch visit Microsoft's Software Update Services (whitepaper), a tool for "managing and distributing critical Windows patches."

37 of 604 comments (clear)

  1. Been there, done that... by DavidBrown · · Score: 5, Insightful

    MS update downloaded the patch and it's already installed. It seems to me that hardly anyone is hearing about these bugs nowadays until after MS updates Windows. The lesson here (other than the obvious and silly "Don't use Windows") is to run MS update.

    --
    144l. ph34r my 133t l3g4l 5k1lz!
    1. Re:Been there, done that... by pmz · · Score: 3, Insightful

      The lesson here (other than the obvious and silly "Don't use Windows") is to run MS update.

      Windows Update is a mixed blessing where each time it is run the user is gambling that it won't break his system. The safest route with Windows is: install the OS and applications and then leave it alone for maximum stability. Then, put the damn thing behind a non-Windows firewall or leave it disconnected from the Internet entirely.

      --
      Healthcare article at Kuro5hin
    2. Re:Been there, done that... by sould · · Score: 4, Insightful
      The lesson here (other than the obvious and silly "Don't use Windows") is to run MS update


      All very well for your little toy box, but you shouldn't assume that a solution that works for you at home will scale up to a production environment.


      Windows update breaks things. Unexpectedly and unpredictably.

    3. Re:Been there, done that... by FearUncertaintyDoubt · · Score: 5, Insightful
      And anyone who has ever been burned by a MS patch that caused more problems than it prevented will tell you that you should never be the first guy to install a Windows patch.

      The reality that BillG refuses to acknowledge in his public statements is simply that you cannot "just install the patch" in an enterprise environment. It takes time. Time to evaluate the risks of installing vs. not installing, time to test (and resolve any issues that come up), time to develop a deployment plan, time to actually implement the deployment plan, and time to audit and follow up with everyone who 1) has somehow avoided installing it, 2) is a dial-up user and can't download it easily, 3) had their machine utterly crash after the patch was applied.

      Don't blame sysadmins. Blame MS for releasing patches which step on the heels of the deployment of the previous critical update. When a new patch comes out every 2 weeks, and a deployment may take 3 weeks, you've got a problem.

    4. Re:Been there, done that... by JesseL · · Score: 4, Insightful

      That's great if you totally trust all your users and aren't concern about local exploits.

      --
      "Prefiero morir de pie que vivir siempre arrodillado!"
    5. Re:Been there, done that... by Kibo · · Score: 4, Insightful

      Wouldn't you then run the risk of a dual use machine like a PDA or a laptop bringing in a worm and crushing the soft pink nakked interior of the network within your boarders?

      And wasn't security by wishful thinking the impetus for the problem to begin with?

      --
      --Jimmy has fancy plans; and pants to match.
    6. Re:Been there, done that... by bmajik · · Score: 4, Insightful

      All things considered, _you_ are better off running windows update. Your "safe route" is a terrible idea. How does your firewall protect against an IE vuln, where your unaptched machine uses IE to request a page with malicious code in it ?

      Ooops.

      Patch your machines, or, let automatic updates do it for you.

      --
      My opinions are my own, and do not necessarily represent those of my employer.
    7. Re:Been there, done that... by Anonymous Coward · · Score: 1, Insightful

      Except:

      I had a client that just bought a laptop after the MSBlaster fiasco. Of course it hadn't been patched for MSBlaster yet. He setup dial-up networking, started the update, and was infected with MSBlaster before the update could finish downloading!!!

      The only way I got him working was to use the restore disk and then update him behind my firewall. That for your MS update!!

    8. Re:Been there, done that... by Lispy · · Score: 4, Insightful

      Errr...maybe because Microsoft CERTIFIED the buggy driver?

    9. Re:Been there, done that... by Lshmael · · Score: 3, Insightful

      If you have read the Windows Update EULA, you would realize that if you have an illegal copy, you have no rights. Examples here and here.

      That said, I do not think that most people that do install upgrades do so because they have illegal copies. They are simply blissfully ignorant of the possible consequences, seeing viruses, trojan horses, and worms as simply bad luck. When so afflicted, they simply say, "I hate computers," not realizing that it was all avoidable.

    10. Re:Been there, done that... by tomhudson · · Score: 4, Insightful
      Come off it, even Microsoft doesn't follow their stated "best practices". The only best practice is to reformat and install something else, anything, else.

      And the message is getting out. I've seen a few columns where the writer states "While Linux and Mac users had a calm week, Microsoft users were brought to their knees by ...[insert latest worm/patch/bug/fix/virus] ... and spent the last week fixing their systems, again."

      Makes me wonder how they have any time to do anything else (it also explains why most of the /. crowd uses linux - we just happen to have the extra time b/c we're not patching, not fixing other boxes, etc.)

    11. Re:Been there, done that... by Anonymous Coward · · Score: 3, Insightful

      When you finish high school and pursue a career in IT, you'll have a chance to learn firsthand about the long and well documented history of Microsoft patches breaking systems. And if you get to be one of the lucky ones to apply such a patch, you'll also see, firsthand again, how a business can be brought to its knees.

      My guess is that you'll find it Real Hard(tm) to decide what's worse: feeling angry about being fired, feeling angry toward Microsoft, feeling incompetent, feeling bad for ruining the work activities of a few hundred/few thousand co-workers, feeling bad for making your boss lose money, or just feeling stupid for having made uneducated, ill-informed comments on Slashdot.

    12. Re:Been there, done that... by frozenray · · Score: 5, Insightful
      This happens incredibly infrequently, especially considering the amazingly large amount of systems that run Windows.

      I use Windows Update consistently for my Windows box, and it works great and reliably. The FUD surrounding the "user is gambling" anecdotes is amusing though. I can only remember them releasing one patch that was truly borked.
      Where I work, this baby nearly slipped through QA (the error only occurs on certain levels of the Compaq RAID firmware, and the three original test servers had a newer revision of the firmware). Good thing one of the guys in QA (bless him) decided to do a little additional testing (and we use a staggered deployment scheme anyway), or we could potentially have faced 400 BSODing production servers.

      The fact that WU works fine for your single box (as it does for mine) unfortunately says nothing about the regular deployment of patches in a 36'000 seat / 800 server corporate network such as ours, even if stringent QA procedures are in place. Keep in mind that security fixes mean tighter security settings and that those can lead to application problems which can be very hard to find without an inordinate amount of QA.

      And by the way, SUS 1.1 might be fine for a small to medium network, but falls miserably short for large installations. We're praying that 2.0 will be better suited to our purposes because handling the pressure from the IRT case manager (who wants to deploy every fix immediately) and production (who doesn't tolerate downtime due to patch distribution) is not fun at all.

      Last but not least: having things like DBMS file systems in future OS releases might be cool - but we can live without them. Me, I'd settle for an OS with less bugs and security holes, thank you very much.
      --
      "There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
    13. Re:Been there, done that... by Tony-A · · Score: 4, Insightful

      Hehe. Hehe. Sorry, but you can laugh or you can cry. Laughing's better.
      Russian roulette with Microsoft patches. Sorry, I gave up that game 2-3 years ago. I feel safer on my unpatched NT Workstation (with a few tweaks so it doesn't run worms/viruses so good anymore).

      Given the "oh so helpful" descriptions of MS Patches ("This patch fixes a security hole which allows remote execution of code") and the sheer volume of them, it's a lot harder than most people think to keep boxes up to date.
      If the description said what was fixed, and what files were replaced to fix it, and what those replacement files were, exactly, then you would at least be able to determine if the patch "took" or not. By withholding that information, the patches look like they work, whether or not they actually did anything. It's essentially impossible to unpatch if necessary.

      Running it again found the patches I needed for the 3rd one.
      If at first you don't succeed, try try again. ;-)
      Gives a lot of faith in their update process, eh wot? [bad attempt at Brittish humor]

    14. Re:Been there, done that... by Anonymous Coward · · Score: 2, Insightful

      If you have read the Windows EULA, you would realise that if you have a legal copy, you still have no rights. Examples here and here.

  2. jebus h flippin' christ by Anonymous Coward · · Score: 5, Insightful

    there is no excuse for anyone having RPC holes like ports 135-139 available on the internet. stupidity.

    1. Re:jebus h flippin' christ by pmz · · Score: 2, Insightful

      Outlook and Exchange use TCP/135 to communicate.

      Why?!?

      --
      Healthcare article at Kuro5hin
    2. Re:jebus h flippin' christ by Jeremy+Allison+-+Sam · · Score: 4, Insightful

      So that they can use undocumented DCE/RPC calls to
      communicate and do the things you can do over IMAP
      of course !

      What, you thought Microsoft *wanted* to let Outlook
      do it's "special things" over a published protocol ?

      How would they force you to install Exchange then ?

      Jeremy.

    3. Re:jebus h flippin' christ by Florian+Weimer · · Score: 3, Insightful

      there is no excuse for anyone having RPC holes like ports 135-139 available on the internet.

      What about RPC holes like ports 80 and 443? (Thanks, SOAP!)

  3. Fine journalism by Anonymous Coward · · Score: 3, Insightful
    "[...] Shucks, we haven't even finished patching the RPC flaw yet."

    Shucks, you only had a whole fucking month to do it before the exploit made it to the wild.

    You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S

    The always insightful Slashdot editorial byline. RTFA - the article (On NewsForge, no less, and framed with three Microsoft ads) says the worm crashed a Unix server. Score one for reliability of "real" operating systems - and unbiased reporting.

    1. Re:Fine journalism by Anonymous Coward · · Score: 1, Insightful

      What the hell are you on? Most that know anything would never claim a computer to be immune to a DDoS attack...

      Let's see, when you say "crash" it means more to the joe-blow public than saying "malfunctioned". In the end, if it prevents that server from receiving information neccesary to carry out its function, for all means and purposes the computer has "crashed" to the public.

      In other words, the Newsforge article gives the technical failure to an audience in which the majority would understand those terms. If you stick "crippled because of a DDoS-like scenario" on CNN, you've just confused 90% of the readers.

  4. I manage several XP machines by CmdrPorno · · Score: 4, Insightful

    And we weren't hit because they had the current patches and virus defs, plus they were behind a firewall. For the average Windows user, mandatory updates (OS and antivirus), and firewall defaulted to enabled should be the norm, so long as "power users" can disable this option. And services that are useless for the average user (such as DCOM) should be disabled. Those who want it can enable it, it's not that difficult!

    --
    Sent from my iPhone
  5. Port blocking on Internet/Intranets by AEton · · Score: 4, Insightful

    It seems like many of the recent vulnerabilities have one common feature--they all use a static port.

    The buggy Netgear routers that were DDoS-ing U-Wisconsin all sent the packets from one port, and the temporary solution of blocking that traffic was an easy fix (if not optimal in bandwidth terms). RPC by its very nature also uses a fixed series of ports, and Microsoft's continued ineptitude in properly programming the protocol suggests that it's time to start blocking those ports on Internet-facing computers and (for some universities or corporations where it wouldn't kill important processes) inside the firewall.

    Blocking ports is probably even faster than patching thousands of computers (or convincing end users to do it! eek!); there's not much of an excuse remaining for many administrators in this regard.

    --
    We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
    1. Re:Port blocking on Internet/Intranets by Elwood+P+Dowd · · Score: 4, Insightful

      The reason we gripe is that many /. readers are IT professionals in medium-small companies. We have laptop users that go home, connect to AOL, get this virus while they're outside of our firewall.

      Then they bring the machine to work, plug into the network, and infect everybody. Obviously, there are ten different things you can do to reduce or eliminate this threat, but that's the pain in the ass.

      This is not even a mild annoyance for me on my home computer. I didn't hear many folks on /. complaining about how their computer is restarting all the time (Blaster)... because we geeks were patched.

      --

      There are no trails. There are no trees out here.
  6. We need PUBLICITY, or no one will know or care. by JessLeah · · Score: 5, Insightful

    Color me (-1, Troll), but what are the chances that the public will know or care about this? Most of my clients/coworkers/friends/family members are "just average users" who use Word, IE and Outlook, and who barely even know what a computer virus is. They certainly don't know what a "bug" or "vulnerability" is, and their grasp of computer security generally ranges from tenuous down to completely nonexistant. (My mother used to think that running a LAN in our home was "illegal", since every time her computer said "Application X has performed an illegal operation", she freaked out and asked if the cops were on their way!) Until this sort of thing ends up on the 6:00 news, as well as the front pages of USA Today and the New York Times, most people will not be aware that there is a problem. And when something happens, they will blame themselves, their kids for "messing with the computer", the last tech who touched their machine... or perhaps simply say "the computer's broken... durned computer..."

    We need bugs like this to be publicized in major newspapers, the way "human" virus outbreaks (and potential outbreaks) like SARS or Ebola are. That way, people might actually start patching their systems...

    --
    Honey, I shrunk the Cygwin
    1. Re:We need PUBLICITY, or no one will know or care. by doc_traig · · Score: 2, Insightful

      Very true. Until Peter Jennings tells Average Joe there's a problem, he won't know or care about it. And Peter Jennings won't tell you until there are lots of folks to tell the reporters how they'd been "hit."

      Imagine if it was discovered that everyone who had a standard deadbolt on his front door was suddenly vulnerable to being burglarized by anyone with a paper clip. Would the story be noticed only after tens of thousands had been burglarized?

      --
      So long, michael. Don't let the door hit you...
  7. Wouldn't it be easier? by BrynM · · Score: 4, Insightful

    Wouldn't it be easier to just turn the RPC service off or remove it? Oh, that's right. You can't do either. It's an important Windows component that helps my non-networked, non-server, non-client Win2K development laptop running correctly. If it weren't there... well it just wouldn't be there and that's not good. Thank you MS for yet another non-uninstallable, non-disableable useless service for me to worry about. I can't wait until my web browser and messageing client are at this level of necessity. Then I'll really be enpowered to run my computer the way I see fit.

    --
    US Democracy:The best person for the job (among These pre-selected choices...)
  8. Impressive by SpamJunkie · · Score: 2, Insightful

    Seems impressive that such a severe exploit has been in popular operating systems for many years - when was NT 4 released? 97? - yet never taken advantage of until... well, shortly. As much as I hate to admit it, seems to prove the point that proprietary code is more secure. If people don't know a flaw exists they don't exploit it.

    If linux had 90+% of the desktop how long would it take for its remote exploits to be taken advantage of?

  9. Forget your firewall.. by Dynamoo · · Score: 4, Insightful
    Forget your firewall, it's a useful tool, but a lot of outfits that got hit by MSBlast and Nachi had properly configured firewalls.

    The real threat in these situations is someone walking *past* the firewall with their laptop that they've used unprotected on the public internet, gotten infected, and then brought into the office. I've seen this happen, and then containment starts to become a nightmare.

    Patching is difficult too.. if you don't have software to push the updates, you have to visit. Users aren't always on the same site, or even the same country. And although you might be able to cover 90% of your kit in the time before the worm hits, you still might have enough vulnerable PCs to take down the network.

    Don't forget that patches are often unstable, and shouldn't be applied without some sort of testing and backout plan for critical systems.

    So yes, this all takes a time, and the problem is the balance between the risk of rolling it out too quickly (without testing), and the risk of rolling it out too slowly. The risk of not rolling it out at all though is too great, 'cus it's just going to take that one user who wants to use their own ISP at home and you can kiss you backside goodbye.

    --
    Never email donotemail@WeAreSpammers.com
  10. Re:Here's what should be done by Anonymous Coward · · Score: 1, Insightful

    That's no fun! Then you can't spread the virus. It's like ebola, it's too destructive for its own good at killing people so that there is no one left to infect.

    In other words, unless the destructive virus infects a specific number of hosts and/or expires after a sufficiently lengthy period, it would probably only impact relatively few systems.

  11. Re:BOHICA by afidel · · Score: 4, Insightful

    Wrong, the flaw is in the methodology of development and testing. Unchecked buffers aren't hard to eliminate. Tools like Purify will find 90% of them automatically, a good code review will find most of the rest. Look at FreeBSD, only one remote exploit in how many years??? It CAN be done, MS just doesn't have the will, because they certainly have the resources.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  12. tco and gartner by Camel+Pilot · · Score: 4, Insightful

    Did the recent microsoft underwritten study on tco for windows and linux include the odd virus infestation and weekly patching requirements for windows machines.

  13. It's easy to jump on the bandwagon by AvengerXP · · Score: 1, Insightful

    And bash MS but when you have 90% of the market for desktops, of course all flaws will appear blown out in proportions. Imagine having almost everyone drive Ford cars. Then the recall rate for Fords will increase. Of course it will, it's called proportions.

    Sure their coding isn't flawless, far from it, but they really are doing their best. It doesn't serve them or their customers to "make" these holes.

    --
    Trolls dont like to be Flamebait, because they burn so well. Protect our Troll heritage!
  14. Re:Will it screw up my laptop again? by pantherace · · Score: 2, Insightful
    At the risk of being modded as a troll for this one, I would say that if UNIX had the marketshare instead of MS, then we'd see a ton of UNIX based worms/viruses. Or Mac for that matter. MS, who I agree has awful business practices, is just an easy target for rhetoric for those two reasons.

    Care to explain a reason WHY? How many linux worms have there been? And of the very very few, they were all targeted at Apache (which is not part of the OS), and if we include IIS in the windows category (which has a HELL of a lot LESS market share then apache) then any comparision will yield a result very bad for Microsoft. Not to mention that many Bug counts for Linux are agregate numbers (and not distro-specific) so the numbers are multipied several times.

    This also does not include the fact that Windows is very often a single-vendor solution. Windows (WS & Server), Exchange, Office, IE, IIS, etc. This amounts to a very homogenous environment, because there isn't another easy way to use Exchange with something else for the most part, or Outlook with a different server (I know projects that can (Evolution & Suse's open exchange (title?)) however, you have to be looking for an alternative. On Linux how many people use kmail, evolution, mutt, pine, webmail-type, etc etc? OpenOffice is pretty much a standard but even then we have Abiword, KOffice, LaTEX, etc etc, and afaik there is no OpenOffice email client. Desktop environments in general: CDE, GNOME, KDE, and a host of small projects. Not to mention UNIX systems (and linux systems) have a variety: RedHat Linux, Sun Solaris, IBM AIX, FreeBSD, Suse Linux, Compaq Tru64, etc. And processor arch: x86 (the majority), ppc, alpha, sparc, sparc64, mips, arm, ia-64, etc

    Linux/UNIX are not vulnerable to many of the same exploits as each other. How many .0x% of linux users got hit by an exploit in apache?

    Send me a virus: I will read it on an alpha in kmail, or on a sparc via mutt, etc. A worm/virus may hit a tiny percent of linux users, but how many have a setup compatible enough with the worm to actually get hit.

    It's called diversity, and you might want to look at biological models. The next windows worm that tells a computer to format it's hd if it's before a patch from microsoft may mean that a heck of a lot of windows computers die. Say a virus that has a timer of a day (give it time to replicate) then kills the host? Only those who have good firewalls won't die, which is, unfortunately, not the case with windows (as seen by the recent rpc bugs.) Black ICE for example doesn't block messenger by default, does it block anything else?

    A killer virus/worm could cripple most windows users, but would only kill a small percentage of linux users, unless the author very creative, and new a whole bunch of security holes in many different programs.

    Diversity. Diversity. Diversity.

  15. Re:+5 Funny for the mods.... by MrHanky · · Score: 3, Insightful

    Unfortunately, you can only vote "Fair" or "Unfair". Sometimes a mod is so unfair that it's hilarious. Those should be lauded. Normally, the moderators are just stupid.

    Yes, that means you, you stupid git. No, don't touch that button. Get away from there! *Aieeeeee*

    Browse at -1 to read this comment.

  16. Thanks but... by 110010001000 · · Score: 1, Insightful

    ...Microsoft Update downloaded and installed the patch for me already. And no, I didn't do a weeks worth of regression testing.

  17. TCO by mattr · · Score: 2, Insightful
    Someone also mentioned but I was thinking.. the article about blaster and the power grid mentions at the bottom a few links to huge outages caused by Microsoft vulnerabilities - railways, police stations, etc. Sure we've heard about these on and off lately.

    Now has anybody actually made a study of how much was lost, and what statistically would be the amount you can expect to lose if you deploy M$ systems? Something like a 5% chance of losing 20 million bucks, etc.? Was just thinking this should be included in any TCO studies M$ is funding.