Slashdot Mirror
Microsoft Identifies, Patches Another Critical RPC Hole
Dynamoo writes "Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code. In other words, this probably carries about the same risk as the well-documented RPC hole exploited by MSBlaster and Nachi. A Knowledgebase article is also available.
Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations. Again. Shucks, we haven't even finished patching the RPC flaw yet." You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S.
Update: 09/10 20:41 GMT by T : Reader AcquaCow suggests that administrators with multiple machines to patch visit Microsoft's Software Update Services (whitepaper), a tool for "managing and distributing critical Windows patches."
I mean, really, what's the point? Even if you're secure now , give Microsoft another few weeks, and they'll find another few critical weaknesses. Why can't people just accept that if you run MS operating systems, you are going to get hacked? Why bother patching when your system is still vulnerable to the multitude of holes Microsoft (or some other hacker...) has yet to discover?
Sorry to rant, but this is just plain unexcusable. 8 years after Windows95, and Microsoft still hasn't managed to create a secure operating system. Their "Trustworthy Computing" initiative only means that you have to trust them to release a patch when holes are found...
I love this phrase from Microsoft's description of the vulnerability. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft-specific extensions. The typical "embrace and extend" strategy Microsoft uses to pollute open standards. Looks like they included some buffer-overrun extensions.
Just remember that during the "Scan for updates" procedure, the little tagline about "Windows Update does not collect any form of personally identifiable information from your computer" is a lie. A great deal of information is actually sent back, and is generally more than enough to uniquely identify your computer. Plus, Microsoft has no business knowing exactly what hardware I have installed on my computer.
You can go here for a more comprehensive article on this subject.
Overrated Moderation: This posts sucks... because.
We've installed the Win2k patch 3 times on a test machine in an attempt to assess it and it still shows as vulnerable to the latest RPC/DCOM scanner from eEye.
With this feature, anyone, anywhere in the world can run programs on your machine!
You're kidding, but that's actually pretty close to what they say:
"A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft Windows and gain complete control over it."
"A security issue has been identified in Microsoft Windows that could allow an attacker to see information in your computer's memory over a network."
"An identified security issue in Microsoft Data Access Components could allow an attacker to compromise a Microsoft Windows-based system and then take a variety of actions. For example, an attacker could execute code on the system."
This is after about a week of Windows Update not working because at some point it screwed itself-- the "New Windows Update Software required" dialog kept coming up in place of anything useful. (The fix is, among other places, here). Yikes!
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
Before, you could just download the Windows Update fix on a single computer, check the firewall log to see what .exe was downloaded to perform the update, get that file and store it on your server, and run it from the logon script using a couple of flags for silent installation.
.exe contacts a server at Microsoft, POSTs some info, and gets 80KB of data back in return. When you try to run the .exe on a PC without Internet connectivity, it fails.
With this update, Microsoft have disabled that!
The
Is this to help us to quickly patch all systems?
To force us to rollout that SUS system quickly (today) to be able to apply this patch?
The ways of the force are getting more awful every day. How much longer are the customers going to accept this?
Ugh... why not just put your networks behind a reasonable firewall and block those incoming ports?
Hate to rail on it, but even if I don't patch my Win2K box at home (used for gaming), I don't need to worry about it because my OpenBSD firewall protects me from this crap.
Or isn't this solution obvious enough?
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
M$ Update is great and works fine as long as you are on broadband. If your not, it takes hours to update your system from a clean install - IF the end server doesnt end up zapping your connection.
One of my clients are in this exact situation - they are on dialup simply because their business is in the sticks and there is no broadband avaliable. They got hacked into a few weeks ago because of these bugs and holes - the solution instead of serious money (compared to dialup), is to simply install Linux everywhere for them, and put Windows into a "clean room" implentation with VMWare...
Moral: M$ Update only works if you have the resources - otherwise your screwed and YOU WILL SUFFER!
I've pissed someone off somewhere...
Windows Update is a mixed blessing where each time it is run the user is gambling that it won't break his system.
This happens incredibly infrequently, especially considering the amazingly large amount of systems that run Windows.
I use Windows Update consistently for my Windows box, and it works great and reliably. The FUD surrounding the "user is gambling" anecdotes is amusing though. I can only remember them releasing one patch that was truly borked.
But, if you believe the safest route to Windows is to leave it unpatched behind any firewall I hope you are never in charge of any networks. I'm sure even your non-Windows machines are amazingly insecure and waiting to be exploited.
Dacels Jewelers can't be trusted.
Windows Update is a mixed blessing where each time it is run the user is gambling that it won't break his system.
At least Windows Update doesn't have this big fat warning that Office Update displays before you can download any patches. It basically says that the update might deliberately break your Office installation if you've got an illegal copy.
No wonder most people hesitate to install these upgrades.
Yes, the love ms blaster hotfix provided by MS broke my network laser printing system. That was fun. First patch 200 systems, then have to fix network printing on them all..
Joy Joy.
Yeah we had some dumbass user run Windows Update on their Compaq Evo laptop, download all the critical updates (which was OK) and updated drivers (which was not). Result? Blue screen of death. Smart move.
Never email donotemail@WeAreSpammers.com
This is my favorite part of the article:
Great. Is my Windows 98 machine affected or not? Thanks for the info, Microsoft.
I can't say that I don't give a fuck. I've just run out of fuck to give.
When will Micro$oft finally held liable for all the damage caused by their incompetence, exorbitant profits and malicious negligence, all powered by greed and arrogance! When will this shrink wrap nonsense EULAs finally be declared void by a sane judge! When will M$ be held accountable for their anti-social behaviour with the business ethics of a heroine dealer. How long do we have to tolerate this
shit? Or just wait for the next major disaster?
I noticed this too. After the update downloads, the application tripped my firewall on port 80. Nowhere in the update does it specify that this will be needed.
This bothers me for several reasons; 1) I administer many machines that are off site. They have been set up as tight as can be which keeps me from having to drive to the furthest ones which are over 200 miles away. Now I have to allow a program downloaded from a NON-SECURED web site to run freely while accesing the internet? How did this strike anyone as a good idea? 2) Well, there is no 2 just yet as I havent had time for all the negative consequences to hit yet.
Im sure with a little tinkering, this can be resolved, hell Ill just put that IP into my routing table and hit it to a local box or something...
Do you think a patch tool that requires IIS and requires your server to be Windows 2000 is a nice handy tool?
Our servers run NT4 and we don't run IIS. The Intranet runs on Apache (Linux).
Fortunately we have our patch deployment tool that is just 20 lines of KIX script running as part of the LOGON script. Works every time, but unfortunately Microsoft does everything it can to attempt to break it. (see other replies in this subthread)
I realize this is a joke, but I'm kind of tired of seeing it on here. I ran Windows Update on 3 Win2k servers before msblast. 2 of them were patched properly, the 3rd wasn't patched at all. I just ran it on all 3 again, and 2 found patches that needed installed while the 3rd said it was up to date. Running it again found the patches I needed for the 3rd one.
Given the "oh so helpful" descriptions of MS Patches ("This patch fixes a security hole which allows remote execution of code") and the sheer volume of them, it's a lot harder than most people think to keep boxes up to date. I'm just glad I only have 3 to maintain now, instead of the 80 or so I had at my last job.
Thank Xenu for FreeBSD.
I've been bitten three times by windows security patch problems. The first was the NT4 sp6/sp6a debacle. The second, much more insidious, was the problem caused with the windows xp hotfix that caused a significant slowdown.
The last, and most problematic for me to track down, was not strictly a microsoft fault, but is still relevent.
We run a ~200 machine windows 2000 client network. We also run a couple of virtual CDROM servers. Upgrading to service pack 3 a while back seemed to work fine, when I rolled it out with ghost with a batch of other updates, everything seemed fine. After a few weeks though, I noticed there were a lot of problems being reported with the machines locking up periodically. After much digging and testing, it turns out the client software for the virtual CD's had a bug on SP3.
Yes, it was a bug in a third party application. But still, you can see why smart admins with big networks prefer to test patch rollouts rather than run every workstation with automatic updates enabled. Even if the patch doesn't break windows, it may well break something else that runs on it.
Still, patches need to be rolled out eventually. Laptops will happily infect any system relying on firewalls alone.
I still blame microsoft for writing code that so easily allows net-based root exploits though, that means we have to patch so damn much.
Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
Software Cures MSBlaster Pain for MS Exchange; Web-based Approach to Exchange Pays Dividends
9/10/2003 10:29:00 AM
REDWOOD CITY, Calif., Sep 10, 2003 (BUSINESS WIRE) -- Seaside Software's products, HiPerExchange and Xkey, have proved their worth for users during the recent MSBlaster crisis. While other companies have scrambled to re-connect their remote Outlook users suddenly cut off by multiple ISPs, Seaside customers have continued to access Exchange without interruption to critical business endeavors.
Companies with remote Outlook users can consider a number of alternatives for accessing their Exchange server, says David Ferris, President and Analyst of messaging consultancy at Ferris Research. The downside is they either add significant cost and complexity (VPNs, wholesale client/server upgrades) or drop majority functionality (eg, offline use in the case of Outlook Web Access). With Seaside's approach, users get rich client features (e.g., offline use, synched online performance, archiving) with their web client, HiPerExchange. By keeping all communications with the server web-based, they sidestep issues caused by worms such as MSBlaster while delivering Exchange to remote users.
Personally, I don't want to patch RPC, I want to disable it. Where is the option for that?
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
Microsoft doesn't write the drivers on windows update. The drivers found there are submitted by the vendor of the hardware.
Not nit-pickin, just to confirm things, wasn't it OpenBSD with the one-hole-in-7-years record?
I'm amazed that Slashdot has never covered Microsoft's extraneous clauses in critical updates. Seems to me like something which is clearly "wrong" and yet it goes unchallenged. Odd.
Excellent point. I had a recent experience to that effect Here and had many people wanting to mod my moderator as funny. I think there should be a few more options for metamoding.
Not only that, but sometimes I kinda wish you could mod posts as just plain "Wrong" or "Stupid". Though it wouldnt really be very nice...
.