Microsoft Identifies, Patches Another Critical RPC Hole

Dynamoo writes "Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code. In other words, this probably carries about the same risk as the well-documented RPC hole exploited by MSBlaster and Nachi. A Knowledgebase article is also available. Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations. Again. Shucks, we haven't even finished patching the RPC flaw yet." You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S. Update: 09/10 20:41 GMT by T : Reader AcquaCow suggests that administrators with multiple machines to patch visit Microsoft's Software Update Services (whitepaper), a tool for "managing and distributing critical Windows patches."

Been there, done that...

[DavidBrown]

MS update downloaded the patch and it's already installed. It seems to me that hardly anyone is hearing about these bugs nowadays until after MS updates Windows. The lesson here (other than the obvious and silly "Don't use Windows") is to run MS update.

Re:Been there, done that...

[FearUncertaintyDoubt]

And anyone who has ever been burned by a MS patch that caused more problems than it prevented will tell you that you should never be the first guy to install a Windows patch.

The reality that BillG refuses to acknowledge in his public statements is simply that you cannot "just install the patch" in an enterprise environment. It takes time. Time to evaluate the risks of installing vs. not installing, time to test (and resolve any issues that come up), time to develop a deployment plan, time to actually implement the deployment plan, and time to audit and follow up with everyone who 1) has somehow avoided installing it, 2) is a dial-up user and can't download it easily, 3) had their machine utterly crash after the patch was applied.

Don't blame sysadmins. Blame MS for releasing patches which step on the heels of the deployment of the previous critical update. When a new patch comes out every 2 weeks, and a deployment may take 3 weeks, you've got a problem.

Re:Been there, done that...

[frozenray]

This happens incredibly infrequently, especially considering the amazingly large amount of systems that run Windows.

I use Windows Update consistently for my Windows box, and it works great and reliably. The FUD surrounding the "user is gambling" anecdotes is amusing though. I can only remember them releasing one patch that was truly borked.

Where I work, this baby nearly slipped through QA (the error only occurs on certain levels of the Compaq RAID firmware, and the three original test servers had a newer revision of the firmware). Good thing one of the guys in QA (bless him) decided to do a little additional testing (and we use a staggered deployment scheme anyway), or we could potentially have faced 400 BSODing production servers.

The fact that WU works fine for your single box (as it does for mine) unfortunately says nothing about the regular deployment of patches in a 36'000 seat / 800 server corporate network such as ours, even if stringent QA procedures are in place. Keep in mind that security fixes mean tighter security settings and that those can lead to application problems which can be very hard to find without an inordinate amount of QA.

And by the way, SUS 1.1 might be fine for a small to medium network, but falls miserably short for large installations. We're praying that 2.0 will be better suited to our purposes because handling the pressure from the IRT case manager (who wants to deploy every fix immediately) and production (who doesn't tolerate downtime due to patch distribution) is not fun at all.

Last but not least: having things like DBMS file systems in future OS releases might be cool - but we can live without them. Me, I'd settle for an OS with less bugs and security holes, thank you very much.

jebus h flippin' christ

there is no excuse for anyone having RPC holes like ports 135-139 available on the internet. stupidity.

We need PUBLICITY, or no one will know or care.

[JessLeah]

Color me (-1, Troll), but what are the chances that the public will know or care about this? Most of my clients/coworkers/friends/family members are "just average users" who use Word, IE and Outlook, and who barely even know what a computer virus is. They certainly don't know what a "bug" or "vulnerability" is, and their grasp of computer security generally ranges from tenuous down to completely nonexistant. (My mother used to think that running a LAN in our home was "illegal", since every time her computer said "Application X has performed an illegal operation", she freaked out and asked if the cops were on their way!) Until this sort of thing ends up on the 6:00 news, as well as the front pages of USA Today and the New York Times, most people will not be aware that there is a problem. And when something happens, they will blame themselves, their kids for "messing with the computer", the last tech who touched their machine... or perhaps simply say "the computer's broken... durned computer..."

We need bugs like this to be publicized in major newspapers, the way "human" virus outbreaks (and potential outbreaks) like SARS or Ebola are. That way, people might actually start patching their systems...