Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Identifies, Patches Another Critical RPC Hole

Posted by timothy on from the capn-we-need-more-glue-down-here dept.

Dynamoo writes "Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code. In other words, this probably carries about the same risk as the well-documented RPC hole exploited by MSBlaster and Nachi. A Knowledgebase article is also available. Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations. Again. Shucks, we haven't even finished patching the RPC flaw yet." You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S. Update: 09/10 20:41 GMT by T : Reader AcquaCow suggests that administrators with multiple machines to patch visit Microsoft's Software Update Services (whitepaper), a tool for "managing and distributing critical Windows patches."

20 of 604 comments (clear)

  1. Been there, done that... by DavidBrown · · Score: 5, Insightful

    MS update downloaded the patch and it's already installed. It seems to me that hardly anyone is hearing about these bugs nowadays until after MS updates Windows. The lesson here (other than the obvious and silly "Don't use Windows") is to run MS update.

    --
    144l. ph34r my 133t l3g4l 5k1lz!
    1. Re:Been there, done that... by sould · · Score: 4, Insightful
      The lesson here (other than the obvious and silly "Don't use Windows") is to run MS update


      All very well for your little toy box, but you shouldn't assume that a solution that works for you at home will scale up to a production environment.


      Windows update breaks things. Unexpectedly and unpredictably.

    2. Re:Been there, done that... by FearUncertaintyDoubt · · Score: 5, Insightful
      And anyone who has ever been burned by a MS patch that caused more problems than it prevented will tell you that you should never be the first guy to install a Windows patch.

      The reality that BillG refuses to acknowledge in his public statements is simply that you cannot "just install the patch" in an enterprise environment. It takes time. Time to evaluate the risks of installing vs. not installing, time to test (and resolve any issues that come up), time to develop a deployment plan, time to actually implement the deployment plan, and time to audit and follow up with everyone who 1) has somehow avoided installing it, 2) is a dial-up user and can't download it easily, 3) had their machine utterly crash after the patch was applied.

      Don't blame sysadmins. Blame MS for releasing patches which step on the heels of the deployment of the previous critical update. When a new patch comes out every 2 weeks, and a deployment may take 3 weeks, you've got a problem.

    3. Re:Been there, done that... by JesseL · · Score: 4, Insightful

      That's great if you totally trust all your users and aren't concern about local exploits.

      --
      "Prefiero morir de pie que vivir siempre arrodillado!"
    4. Re:Been there, done that... by Kibo · · Score: 4, Insightful

      Wouldn't you then run the risk of a dual use machine like a PDA or a laptop bringing in a worm and crushing the soft pink nakked interior of the network within your boarders?

      And wasn't security by wishful thinking the impetus for the problem to begin with?

      --
      --Jimmy has fancy plans; and pants to match.
    5. Re:Been there, done that... by bmajik · · Score: 4, Insightful

      All things considered, _you_ are better off running windows update. Your "safe route" is a terrible idea. How does your firewall protect against an IE vuln, where your unaptched machine uses IE to request a page with malicious code in it ?

      Ooops.

      Patch your machines, or, let automatic updates do it for you.

      --
      My opinions are my own, and do not necessarily represent those of my employer.
    6. Re:Been there, done that... by Lispy · · Score: 4, Insightful

      Errr...maybe because Microsoft CERTIFIED the buggy driver?

    7. Re:Been there, done that... by tomhudson · · Score: 4, Insightful
      Come off it, even Microsoft doesn't follow their stated "best practices". The only best practice is to reformat and install something else, anything, else.

      And the message is getting out. I've seen a few columns where the writer states "While Linux and Mac users had a calm week, Microsoft users were brought to their knees by ...[insert latest worm/patch/bug/fix/virus] ... and spent the last week fixing their systems, again."

      Makes me wonder how they have any time to do anything else (it also explains why most of the /. crowd uses linux - we just happen to have the extra time b/c we're not patching, not fixing other boxes, etc.)

    8. Re:Been there, done that... by frozenray · · Score: 5, Insightful
      This happens incredibly infrequently, especially considering the amazingly large amount of systems that run Windows.

      I use Windows Update consistently for my Windows box, and it works great and reliably. The FUD surrounding the "user is gambling" anecdotes is amusing though. I can only remember them releasing one patch that was truly borked.
      Where I work, this baby nearly slipped through QA (the error only occurs on certain levels of the Compaq RAID firmware, and the three original test servers had a newer revision of the firmware). Good thing one of the guys in QA (bless him) decided to do a little additional testing (and we use a staggered deployment scheme anyway), or we could potentially have faced 400 BSODing production servers.

      The fact that WU works fine for your single box (as it does for mine) unfortunately says nothing about the regular deployment of patches in a 36'000 seat / 800 server corporate network such as ours, even if stringent QA procedures are in place. Keep in mind that security fixes mean tighter security settings and that those can lead to application problems which can be very hard to find without an inordinate amount of QA.

      And by the way, SUS 1.1 might be fine for a small to medium network, but falls miserably short for large installations. We're praying that 2.0 will be better suited to our purposes because handling the pressure from the IRT case manager (who wants to deploy every fix immediately) and production (who doesn't tolerate downtime due to patch distribution) is not fun at all.

      Last but not least: having things like DBMS file systems in future OS releases might be cool - but we can live without them. Me, I'd settle for an OS with less bugs and security holes, thank you very much.
      --
      "There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
    9. Re:Been there, done that... by Tony-A · · Score: 4, Insightful

      Hehe. Hehe. Sorry, but you can laugh or you can cry. Laughing's better.
      Russian roulette with Microsoft patches. Sorry, I gave up that game 2-3 years ago. I feel safer on my unpatched NT Workstation (with a few tweaks so it doesn't run worms/viruses so good anymore).

      Given the "oh so helpful" descriptions of MS Patches ("This patch fixes a security hole which allows remote execution of code") and the sheer volume of them, it's a lot harder than most people think to keep boxes up to date.
      If the description said what was fixed, and what files were replaced to fix it, and what those replacement files were, exactly, then you would at least be able to determine if the patch "took" or not. By withholding that information, the patches look like they work, whether or not they actually did anything. It's essentially impossible to unpatch if necessary.

      Running it again found the patches I needed for the 3rd one.
      If at first you don't succeed, try try again. ;-)
      Gives a lot of faith in their update process, eh wot? [bad attempt at Brittish humor]

  2. jebus h flippin' christ by Anonymous Coward · · Score: 5, Insightful

    there is no excuse for anyone having RPC holes like ports 135-139 available on the internet. stupidity.

    1. Re:jebus h flippin' christ by Jeremy+Allison+-+Sam · · Score: 4, Insightful

      So that they can use undocumented DCE/RPC calls to
      communicate and do the things you can do over IMAP
      of course !

      What, you thought Microsoft *wanted* to let Outlook
      do it's "special things" over a published protocol ?

      How would they force you to install Exchange then ?

      Jeremy.

  3. I manage several XP machines by CmdrPorno · · Score: 4, Insightful

    And we weren't hit because they had the current patches and virus defs, plus they were behind a firewall. For the average Windows user, mandatory updates (OS and antivirus), and firewall defaulted to enabled should be the norm, so long as "power users" can disable this option. And services that are useless for the average user (such as DCOM) should be disabled. Those who want it can enable it, it's not that difficult!

    --
    Sent from my iPhone
  4. Port blocking on Internet/Intranets by AEton · · Score: 4, Insightful

    It seems like many of the recent vulnerabilities have one common feature--they all use a static port.

    The buggy Netgear routers that were DDoS-ing U-Wisconsin all sent the packets from one port, and the temporary solution of blocking that traffic was an easy fix (if not optimal in bandwidth terms). RPC by its very nature also uses a fixed series of ports, and Microsoft's continued ineptitude in properly programming the protocol suggests that it's time to start blocking those ports on Internet-facing computers and (for some universities or corporations where it wouldn't kill important processes) inside the firewall.

    Blocking ports is probably even faster than patching thousands of computers (or convincing end users to do it! eek!); there's not much of an excuse remaining for many administrators in this regard.

    --
    We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
    1. Re:Port blocking on Internet/Intranets by Elwood+P+Dowd · · Score: 4, Insightful

      The reason we gripe is that many /. readers are IT professionals in medium-small companies. We have laptop users that go home, connect to AOL, get this virus while they're outside of our firewall.

      Then they bring the machine to work, plug into the network, and infect everybody. Obviously, there are ten different things you can do to reduce or eliminate this threat, but that's the pain in the ass.

      This is not even a mild annoyance for me on my home computer. I didn't hear many folks on /. complaining about how their computer is restarting all the time (Blaster)... because we geeks were patched.

      --

      There are no trails. There are no trees out here.
  5. We need PUBLICITY, or no one will know or care. by JessLeah · · Score: 5, Insightful

    Color me (-1, Troll), but what are the chances that the public will know or care about this? Most of my clients/coworkers/friends/family members are "just average users" who use Word, IE and Outlook, and who barely even know what a computer virus is. They certainly don't know what a "bug" or "vulnerability" is, and their grasp of computer security generally ranges from tenuous down to completely nonexistant. (My mother used to think that running a LAN in our home was "illegal", since every time her computer said "Application X has performed an illegal operation", she freaked out and asked if the cops were on their way!) Until this sort of thing ends up on the 6:00 news, as well as the front pages of USA Today and the New York Times, most people will not be aware that there is a problem. And when something happens, they will blame themselves, their kids for "messing with the computer", the last tech who touched their machine... or perhaps simply say "the computer's broken... durned computer..."

    We need bugs like this to be publicized in major newspapers, the way "human" virus outbreaks (and potential outbreaks) like SARS or Ebola are. That way, people might actually start patching their systems...

    --
    Honey, I shrunk the Cygwin
  6. Wouldn't it be easier? by BrynM · · Score: 4, Insightful

    Wouldn't it be easier to just turn the RPC service off or remove it? Oh, that's right. You can't do either. It's an important Windows component that helps my non-networked, non-server, non-client Win2K development laptop running correctly. If it weren't there... well it just wouldn't be there and that's not good. Thank you MS for yet another non-uninstallable, non-disableable useless service for me to worry about. I can't wait until my web browser and messageing client are at this level of necessity. Then I'll really be enpowered to run my computer the way I see fit.

    --
    US Democracy:The best person for the job (among These pre-selected choices...)
  7. Forget your firewall.. by Dynamoo · · Score: 4, Insightful
    Forget your firewall, it's a useful tool, but a lot of outfits that got hit by MSBlast and Nachi had properly configured firewalls.

    The real threat in these situations is someone walking *past* the firewall with their laptop that they've used unprotected on the public internet, gotten infected, and then brought into the office. I've seen this happen, and then containment starts to become a nightmare.

    Patching is difficult too.. if you don't have software to push the updates, you have to visit. Users aren't always on the same site, or even the same country. And although you might be able to cover 90% of your kit in the time before the worm hits, you still might have enough vulnerable PCs to take down the network.

    Don't forget that patches are often unstable, and shouldn't be applied without some sort of testing and backout plan for critical systems.

    So yes, this all takes a time, and the problem is the balance between the risk of rolling it out too quickly (without testing), and the risk of rolling it out too slowly. The risk of not rolling it out at all though is too great, 'cus it's just going to take that one user who wants to use their own ISP at home and you can kiss you backside goodbye.

    --
    Never email donotemail@WeAreSpammers.com
  8. Re:BOHICA by afidel · · Score: 4, Insightful

    Wrong, the flaw is in the methodology of development and testing. Unchecked buffers aren't hard to eliminate. Tools like Purify will find 90% of them automatically, a good code review will find most of the rest. Look at FreeBSD, only one remote exploit in how many years??? It CAN be done, MS just doesn't have the will, because they certainly have the resources.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  9. tco and gartner by Camel+Pilot · · Score: 4, Insightful

    Did the recent microsoft underwritten study on tco for windows and linux include the odd virus infestation and weekly patching requirements for windows machines.