Slashdot Mirror
Microsoft Identifies, Patches Another Critical RPC Hole
Dynamoo writes "Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code. In other words, this probably carries about the same risk as the well-documented RPC hole exploited by MSBlaster and Nachi. A Knowledgebase article is also available.
Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations. Again. Shucks, we haven't even finished patching the RPC flaw yet." You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S.
Update: 09/10 20:41 GMT by T : Reader AcquaCow suggests that administrators with multiple machines to patch visit Microsoft's Software Update Services (whitepaper), a tool for "managing and distributing critical Windows patches."
I mean, really, what's the point? Even if you're secure now , give Microsoft another few weeks, and they'll find another few critical weaknesses. Why can't people just accept that if you run MS operating systems, you are going to get hacked? Why bother patching when your system is still vulnerable to the multitude of holes Microsoft (or some other hacker...) has yet to discover?
Sorry to rant, but this is just plain unexcusable. 8 years after Windows95, and Microsoft still hasn't managed to create a secure operating system. Their "Trustworthy Computing" initiative only means that you have to trust them to release a patch when holes are found...
I love this phrase from Microsoft's description of the vulnerability. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft-specific extensions. The typical "embrace and extend" strategy Microsoft uses to pollute open standards. Looks like they included some buffer-overrun extensions.
With this feature, anyone, anywhere in the world can run programs on your machine!
You're kidding, but that's actually pretty close to what they say:
"A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft Windows and gain complete control over it."
"A security issue has been identified in Microsoft Windows that could allow an attacker to see information in your computer's memory over a network."
"An identified security issue in Microsoft Data Access Components could allow an attacker to compromise a Microsoft Windows-based system and then take a variety of actions. For example, an attacker could execute code on the system."
This is after about a week of Windows Update not working because at some point it screwed itself-- the "New Windows Update Software required" dialog kept coming up in place of anything useful. (The fix is, among other places, here). Yikes!
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
Windows Update is a mixed blessing where each time it is run the user is gambling that it won't break his system.
This happens incredibly infrequently, especially considering the amazingly large amount of systems that run Windows.
I use Windows Update consistently for my Windows box, and it works great and reliably. The FUD surrounding the "user is gambling" anecdotes is amusing though. I can only remember them releasing one patch that was truly borked.
But, if you believe the safest route to Windows is to leave it unpatched behind any firewall I hope you are never in charge of any networks. I'm sure even your non-Windows machines are amazingly insecure and waiting to be exploited.
Dacels Jewelers can't be trusted.
Windows Update is a mixed blessing where each time it is run the user is gambling that it won't break his system.
At least Windows Update doesn't have this big fat warning that Office Update displays before you can download any patches. It basically says that the update might deliberately break your Office installation if you've got an illegal copy.
No wonder most people hesitate to install these upgrades.
Yes, the love ms blaster hotfix provided by MS broke my network laser printing system. That was fun. First patch 200 systems, then have to fix network printing on them all..
Joy Joy.
I noticed this too. After the update downloads, the application tripped my firewall on port 80. Nowhere in the update does it specify that this will be needed.
This bothers me for several reasons; 1) I administer many machines that are off site. They have been set up as tight as can be which keeps me from having to drive to the furthest ones which are over 200 miles away. Now I have to allow a program downloaded from a NON-SECURED web site to run freely while accesing the internet? How did this strike anyone as a good idea? 2) Well, there is no 2 just yet as I havent had time for all the negative consequences to hit yet.
Im sure with a little tinkering, this can be resolved, hell Ill just put that IP into my routing table and hit it to a local box or something...
I've been bitten three times by windows security patch problems. The first was the NT4 sp6/sp6a debacle. The second, much more insidious, was the problem caused with the windows xp hotfix that caused a significant slowdown.
The last, and most problematic for me to track down, was not strictly a microsoft fault, but is still relevent.
We run a ~200 machine windows 2000 client network. We also run a couple of virtual CDROM servers. Upgrading to service pack 3 a while back seemed to work fine, when I rolled it out with ghost with a batch of other updates, everything seemed fine. After a few weeks though, I noticed there were a lot of problems being reported with the machines locking up periodically. After much digging and testing, it turns out the client software for the virtual CD's had a bug on SP3.
Yes, it was a bug in a third party application. But still, you can see why smart admins with big networks prefer to test patch rollouts rather than run every workstation with automatic updates enabled. Even if the patch doesn't break windows, it may well break something else that runs on it.
Still, patches need to be rolled out eventually. Laptops will happily infect any system relying on firewalls alone.
I still blame microsoft for writing code that so easily allows net-based root exploits though, that means we have to patch so damn much.
Remember kids, it's all fun and games until someone commits wholesale galactic genocide.