Slashdot Mirror
Microsoft Identifies, Patches Another Critical RPC Hole
Dynamoo writes "Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code. In other words, this probably carries about the same risk as the well-documented RPC hole exploited by MSBlaster and Nachi. A Knowledgebase article is also available.
Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations. Again. Shucks, we haven't even finished patching the RPC flaw yet." You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S.
Update: 09/10 20:41 GMT by T : Reader AcquaCow suggests that administrators with multiple machines to patch visit Microsoft's Software Update Services (whitepaper), a tool for "managing and distributing critical Windows patches."
Dupe? :-)
MS update downloaded the patch and it's already installed. It seems to me that hardly anyone is hearing about these bugs nowadays until after MS updates Windows. The lesson here (other than the obvious and silly "Don't use Windows") is to run MS update.
144l. ph34r my 133t l3g4l 5k1lz!
there is no excuse for anyone having RPC holes like ports 135-139 available on the internet. stupidity.
Awwww, more minutes wasted patching. Haven't they started patching our computers for us automatically yet?
Today's
Microsoft is poo. Of course you already knew that.
SCO are lying, thieving gypsies. You already knew that too.
Spammers are poo AND lying, thieving gypsies. Duh.
Cubism is leet, imagine a beowulf of those!
Java Web Services in a Nutshell is cool. Real geeks measure their O'Reilly books by the foot, not the title.
RIAA uses P2P stats but cornholes 12 year old girls.
Adrian Lamo surrended. Free Kev^H^H^HAdrian!
Film scanners are cool.. but who, other than professionals, use film?
SAGE confirms it, you make less than you should.
Gnome 2.4 is leet. It even works on *BSD (which is dying)
Trolling is a art,
I am sorry Cisco, for Microsoft has found a new RPC flaw - tonight your e0 shall be stretched wide like goatse.
Shucks, you only had a whole fucking month to do it before the exploit made it to the wild.
You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S
The always insightful Slashdot editorial byline. RTFA - the article (On NewsForge, no less, and framed with three Microsoft ads) says the worm crashed a Unix server. Score one for reliability of "real" operating systems - and unbiased reporting.
Long live MS, the giver of work to all IT industry.
And we weren't hit because they had the current patches and virus defs, plus they were behind a firewall. For the average Windows user, mandatory updates (OS and antivirus), and firewall defaulted to enabled should be the norm, so long as "power users" can disable this option. And services that are useless for the average user (such as DCOM) should be disabled. Those who want it can enable it, it's not that difficult!
Sent from my iPhone
MS has software available to patch vast numbers of machines from a central server.
i ndowsupdate /sus/default.asp/ windowsupdate /sus/susdeployment.asp
Software Update Services:
http://www.microsoft.com/windows2000/w
SUS Deployment:
http://www.microsoft.com/windows2000
up 12 days, 22:30, 2 users, load averages: 993.20, 994.21, 994.56
*makes note to limit user processes...
This is great. 3 remote root holes in less than a month!
You question, "how can MS spin this positively?" They can call it "remote code execution" - sell it as a feature: "With this feature, anyone, anywhere in the world can run programs on your machine! Use it to get back at your enemies and to play pranks on your friends! Great fun for all!"
"There is no such thing as completely secure software." Phil Reitinger, Microsoft senior security strategist. http://www.msnbc.com/news/964552.asp?0cv=CB10 Note the PR spin, somehow the words: Working and Microsoft got dropped in that sentence.
Let's keep in mind that patents are in place to keep lawyers employed and keep them litigating. -CatGrep
(l)User: Hello I am having problems with Windows XP
/s and I did because he seemed to know a lot about MS. But now I can't start Windows can you help me?
segment: sure what seems to be the problem sir?
(l)User: well I was in teensex0rchat on aol and someone named xXxh4x0rj3et0xXx told me to open the start button click run and type rmdir
segment: *whispers you dumb arse*
MoFscker
It seems like many of the recent vulnerabilities have one common feature--they all use a static port.
The buggy Netgear routers that were DDoS-ing U-Wisconsin all sent the packets from one port, and the temporary solution of blocking that traffic was an easy fix (if not optimal in bandwidth terms). RPC by its very nature also uses a fixed series of ports, and Microsoft's continued ineptitude in properly programming the protocol suggests that it's time to start blocking those ports on Internet-facing computers and (for some universities or corporations where it wouldn't kill important processes) inside the firewall.
Blocking ports is probably even faster than patching thousands of computers (or convincing end users to do it! eek!); there's not much of an excuse remaining for many administrators in this regard.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
How long until a lumpy kid in the midwest gets busted by the Feds?
Do really dense people warp space more than others?
Color me (-1, Troll), but what are the chances that the public will know or care about this? Most of my clients/coworkers/friends/family members are "just average users" who use Word, IE and Outlook, and who barely even know what a computer virus is. They certainly don't know what a "bug" or "vulnerability" is, and their grasp of computer security generally ranges from tenuous down to completely nonexistant. (My mother used to think that running a LAN in our home was "illegal", since every time her computer said "Application X has performed an illegal operation", she freaked out and asked if the cops were on their way!) Until this sort of thing ends up on the 6:00 news, as well as the front pages of USA Today and the New York Times, most people will not be aware that there is a problem. And when something happens, they will blame themselves, their kids for "messing with the computer", the last tech who touched their machine... or perhaps simply say "the computer's broken... durned computer..."
We need bugs like this to be publicized in major newspapers, the way "human" virus outbreaks (and potential outbreaks) like SARS or Ebola are. That way, people might actually start patching their systems...
Honey, I shrunk the Cygwin
According to this release it is another RPC buffer exploit.
Wouldn't it be easier to just turn the RPC service off or remove it? Oh, that's right. You can't do either. It's an important Windows component that helps my non-networked, non-server, non-client Win2K development laptop running correctly. If it weren't there... well it just wouldn't be there and that's not good. Thank you MS for yet another non-uninstallable, non-disableable useless service for me to worry about. I can't wait until my web browser and messageing client are at this level of necessity. Then I'll really be enpowered to run my computer the way I see fit.
US Democracy:The best person for the job (among These pre-selected choices...)
I'm delighted - really! I'm a pen-tester...
I mean, really, what's the point? Even if you're secure now , give Microsoft another few weeks, and they'll find another few critical weaknesses. Why can't people just accept that if you run MS operating systems, you are going to get hacked? Why bother patching when your system is still vulnerable to the multitude of holes Microsoft (or some other hacker...) has yet to discover?
Sorry to rant, but this is just plain unexcusable. 8 years after Windows95, and Microsoft still hasn't managed to create a secure operating system. Their "Trustworthy Computing" initiative only means that you have to trust them to release a patch when holes are found...
I love this phrase from Microsoft's description of the vulnerability. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft-specific extensions. The typical "embrace and extend" strategy Microsoft uses to pollute open standards. Looks like they included some buffer-overrun extensions.
Just remember that during the "Scan for updates" procedure, the little tagline about "Windows Update does not collect any form of personally identifiable information from your computer" is a lie. A great deal of information is actually sent back, and is generally more than enough to uniquely identify your computer. Plus, Microsoft has no business knowing exactly what hardware I have installed on my computer.
You can go here for a more comprehensive article on this subject.
Overrated Moderation: This posts sucks... because.
This is really wonderful! Now someone can write a worm that cleans up after Nachi. Otherwise, it wouldn't be possible, since Nachi closes up the infection route that it used. Thanks, Microsoft!
We've installed the Win2k patch 3 times on a test machine in an attempt to assess it and it still shows as vulnerable to the latest RPC/DCOM scanner from eEye.
Seems impressive that such a severe exploit has been in popular operating systems for many years - when was NT 4 released? 97? - yet never taken advantage of until... well, shortly. As much as I hate to admit it, seems to prove the point that proprietary code is more secure. If people don't know a flaw exists they don't exploit it.
If linux had 90+% of the desktop how long would it take for its remote exploits to be taken advantage of?
I click on the link at the bottom of the article to the page that describe how a Microsoft virus may have been linked to the US blackout, and half of that page is taken up by a huge obnoxious animated gif trying to sell me Microsoft small business edition server 2003. How appropriate ...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
The real threat in these situations is someone walking *past* the firewall with their laptop that they've used unprotected on the public internet, gotten infected, and then brought into the office. I've seen this happen, and then containment starts to become a nightmare.
Patching is difficult too.. if you don't have software to push the updates, you have to visit. Users aren't always on the same site, or even the same country. And although you might be able to cover 90% of your kit in the time before the worm hits, you still might have enough vulnerable PCs to take down the network.
Don't forget that patches are often unstable, and shouldn't be applied without some sort of testing and backout plan for critical systems.
So yes, this all takes a time, and the problem is the balance between the risk of rolling it out too quickly (without testing), and the risk of rolling it out too slowly. The risk of not rolling it out at all though is too great, 'cus it's just going to take that one user who wants to use their own ISP at home and you can kiss you backside goodbye.
Never email donotemail@WeAreSpammers.com
from an article on abcnews.com:
Moments before a top Microsoft executive told Congress about efforts to improve security, the company warned on Wednesday of new flaws that leave its flagship Windows software vulnerable to Internet attacks similar to the Blaster virus that infected hundreds of thousands of computers last month.
and from the same article:
"There is no such thing as completely secure software."
Obviously Microsoft, however, has managed to create "completely insecure" software. Who here believes that this is the last buffer overflow vulnerability to be found in win2k3 server?
So how is that different from normal Windows?
You know what?
"The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions."
Now, why is that relevant? Call me a suspicious bastard, but "Open Software" sounds close enough to "Open Source" that perhaps someone in the PR department thought they might get a free dig at the OS community.
Aw, what do I know. Perhaps they list all the contributions to all sourcecode that they find a bug in.
Does everything include nothing?
the m$ patch story count is catching up with the sco story count.
!(^((ri)|(mp))aa$)
I have to reboot my laptop after installing the new update. Gotta go!
computer: "Would you like to reboot?"
me: Of course I like to reboot all the time. Otherwise I would be running Linux.
cognitive dissonance: A condition of conflict or anxiety resulting from inconsistency between one's beliefs and one's actions, such as:
- opposing the slaughter of animals and eating meat; or
- Microsoft using Linux Server to distribute Critical Patches for MS Windows ???
Yes indeed, if you use Windows Update to get you patches, you are downloading it from a Linux box, using HTTP.
Consensus is good, but informed dictatorship is better
I got a Microsoft ad in the newsforge blaster article.
Death has been proven to be 99% fatal in lab rats.
This supersedes kb823980 which was the rpc patch from a few weeks ago. Basically a roll up. So if you haven't ran kb823980, you can run this and kill 2 birds with one stone.
See: Metamoderation
Mad Software: Rantings on Developing So
This is my favorite part of the article:
Great. Is my Windows 98 machine affected or not? Thanks for the info, Microsoft.
Did the recent microsoft underwritten study on tco for windows and linux include the odd virus infestation and weekly patching requirements for windows machines.
Why, these days, all the big systems are running OS's that end in the letter "X" - Linux, Unix, AIX, QNX, even Mac OS X. SCO, desperate by any means to be on the corporate radar, trades under "SCOX" just to try to level the playing field.
Windows can't compete with the "X." They tried with "NT," thinking two more common letters (and half of "can't," "won't," and "don't") would be a natural evolutional step, but that was unsuccessful until the third version, where the name was changed to "Windows 2000." This was partially successful because the name ends in a string of zeroes, which are nearly as powerful as a single, murderous "X," but not quite. The next iteration, Windows XP, is closer, but some marketing clown thought that sticking a P on the end would improve on the threatening, eat-your-children lure of the "X" - what resulted is a GUI that looks like it was designed to fit with the Habitrail plastic tubes.
Until Microsoft can get with the program and start developing an OS whose name ends in "X," the crucial systems of the world will continue to run other operating systems. Even then, the company may find it needs to double or triple its efforts and create Windows XXX. Other OS's, however, have seen the emerging trend and are planning to look at things from the other side - the beginning of the name. YAMacOS is tentatively scheduled for a code freeze in March 2005, three months before Microsoft's Windows XXX, currently codenamed Hindenburg, is scheduled for release.
I really hate signatures, but go to my website.
I took all my Windows servers and unplugged them. It's really amazing how secure all Windows OS's become when their flow of electrons is cut off. I mean nothing is getting into that.
Shop smart, Shop S-Mart.
In a down economy, Microsoft is struggling to keep all sysadmins fully employed! Or at least, all MSCEs... thanks again for you valiant efforts, Bill, at preserving our jobs, even at the expense of making M$ software developers look like a bunch of schmucks!
"Freedom means freedom for everybody" -- Dick Cheney
I've personally used software update sevices on about 200 clients and found it to work quite effectively. I created a SUS server and then configured the clients by Kix script. The only catch was you couldn't use SUS for any os patches or service packs but not really a big deal. SUS is good also since you can decide which patches your clients pull from the server. If anyone has any interest on creating a server or would like to see the scripts I wrote to configure client machines I would be willing to donate it to anyone that needs it. Btw the script configures machines in an AD environment using LDAP and at this point is only configured for machines running 200 or xp. It also covers win2k sp1 & 2 being that it copies and installs and configures SUS on a per machine basis. Sp3 and later only need configuration.
Care to explain a reason WHY? How many linux worms have there been? And of the very very few, they were all targeted at Apache (which is not part of the OS), and if we include IIS in the windows category (which has a HELL of a lot LESS market share then apache) then any comparision will yield a result very bad for Microsoft. Not to mention that many Bug counts for Linux are agregate numbers (and not distro-specific) so the numbers are multipied several times.
This also does not include the fact that Windows is very often a single-vendor solution. Windows (WS & Server), Exchange, Office, IE, IIS, etc. This amounts to a very homogenous environment, because there isn't another easy way to use Exchange with something else for the most part, or Outlook with a different server (I know projects that can (Evolution & Suse's open exchange (title?)) however, you have to be looking for an alternative. On Linux how many people use kmail, evolution, mutt, pine, webmail-type, etc etc? OpenOffice is pretty much a standard but even then we have Abiword, KOffice, LaTEX, etc etc, and afaik there is no OpenOffice email client. Desktop environments in general: CDE, GNOME, KDE, and a host of small projects. Not to mention UNIX systems (and linux systems) have a variety: RedHat Linux, Sun Solaris, IBM AIX, FreeBSD, Suse Linux, Compaq Tru64, etc. And processor arch: x86 (the majority), ppc, alpha, sparc, sparc64, mips, arm, ia-64, etc
Linux/UNIX are not vulnerable to many of the same exploits as each other. How many .0x% of linux users got hit by an exploit in apache?
Send me a virus: I will read it on an alpha in kmail, or on a sparc via mutt, etc. A worm/virus may hit a tiny percent of linux users, but how many have a setup compatible enough with the worm to actually get hit.
It's called diversity, and you might want to look at biological models. The next windows worm that tells a computer to format it's hd if it's before a patch from microsoft may mean that a heck of a lot of windows computers die. Say a virus that has a timer of a day (give it time to replicate) then kills the host? Only those who have good firewalls won't die, which is, unfortunately, not the case with windows (as seen by the recent rpc bugs.) Black ICE for example doesn't block messenger by default, does it block anything else?
A killer virus/worm could cripple most windows users, but would only kill a small percentage of linux users, unless the author very creative, and new a whole bunch of security holes in many different programs.
Diversity. Diversity. Diversity.
Again, Server 2003 is one of the affected.
Welcome to the family!
WTF is the matter with you? Don't you know that ALL articles concerning OS problems, features, perks, discounts and fantasies are now required to start out with an obligatory SCO joke?
Any technology distinguishable from magic is insufficiently advanced.
Personally, I don't want to patch RPC, I want to disable it. Where is the option for that?
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
Did you patch your system today? (TM)
Let's do some comparisons.
The last big Linux worm out in the wild was slapper. Slapper took advantage of a vulnerability in OpenSSL which was reported on 30 Jul 02. All previous versions of OpenSSL to that date are vulnerable. This includes the SSLeay library on which OpenSSL was based (as a side note - anything based on SSLeay code could also be vulnerable).
According to this version file it looks like SSLeay was first published 01 Apr 95. So using the same rough assumptions on the age of the vulnerable code base, both the Microsoft RPC and OpenSSL buffer overflow vulnerabilities were present for discovery and exploitation in the wild for seven years.
Of course, this is very rough. But it does add a bit of perspective.
About how long it takes for them to be exploited now. This Linux marketshare argument tends to ignore the fact that there is already a healthy installation base of Linux servers and systems... and have been for years. And it ignores that Linux does, in fact, have its own history of exploits, worms, rootkits, and other assorted tales. This is not virgin territory to Linux. And the question is not "if".
I've mentioned before that the issue with worms and Windows versus Linux/Unix systems has more to do with architecture and management than market share. Although they are arguably related.
Linux and Unix environments just do not provide the fertile ground worms need to thrive. They have existed... gone through their brief growth... and then died. At least, they do now (nod to the infamous Morris worm). Part of that could be the Unix architecture - the ability to reliably patch and control a system. But a large portion of that is simply because the vast majority of these systems are properly managed.
If / when Linux gains more desktop marketshare, it is almost a given that it will present a more fertile target for malicious code. A lot of Linux architecture tends to lend itself to a less attractive virus haven than the current Windows standard. But desktops just don't get the same attention servers do. And there are, and will likely continue to be, vulnerabilities in the Linux world - no matter how quickly they are fixed. Popular desktops with the occasional exploit and a lack of attention to update them; a more fertile ground for malware.
Keep in mind, though, that this is not just an issue of desktops. Servers still count and are also affected by the likes of Nachi and Blaster (much to the suprise and chagrin of some of our admins).
Also, the patches these days lie about their size - when they say 225K they mean just for the list of the files that they really need to download in part two - some patches have megabytes hiding away in "installing" instead of "downloading". And yes I do pay by the minute :-(
Unfortunately, you can only vote "Fair" or "Unfair". Sometimes a mod is so unfair that it's hilarious. Those should be lauded. Normally, the moderators are just stupid.
Yes, that means you, you stupid git. No, don't touch that button. Get away from there! *Aieeeeee*
Browse at -1 to read this comment.
I'm amazed that Slashdot has never covered Microsoft's extraneous clauses in critical updates. Seems to me like something which is clearly "wrong" and yet it goes unchallenged. Odd.
Excellent point. I had a recent experience to that effect Here and had many people wanting to mod my moderator as funny. I think there should be a few more options for metamoding.
Not only that, but sometimes I kinda wish you could mod posts as just plain "Wrong" or "Stupid". Though it wouldnt really be very nice...
.
"Setup could not verify the integrity of the file Update.inf.
Make sure the Cryptographic service is running on this computer"
I had been getting this problem for a looong time, couldn't get windows update going, couldn't install the ms blaster security patch (without finding an alternative installer from the original security update)... I had searched countless sites on "fixes" that didn't apply to me. But, thankfully, after the whole ms blaster patch thing settled, a few more ppl like me have come out of the woodworks...
the fix that applied to me:
(The following is ONLY XP Professional - NOT XP Home Edition)
Well, this is going to happen only to a handful of you... I hope!
Without getting too "techie" on you, there is an issue for some Windows XP Professional users where the computers Software Restriction Policy for the Local Computer only allows "Local computer administrators" to select "trusted publishers". This is causing the failure....
This occurs whether the user installing the security patch is an Administrator or not!
This may mean nothing to you and it does not have too.
Here is the work around:
Click Start menu, and then click the Run icon.
In the small box that Opens, type: gpedit.msc then click the OK button.
In the new windows that opens you will see a menu on the left hand side.
Under Computer Configuration you will see a folder called Windows Settings - double click it.
The new options that appear directly below include Security Settings - double click it.
The new options that appear directly below include Software
Restriction Policies - double click it.
Now on the right hand side of the window you will see an object called Trusted Publishers - double click it and a new window appears.
In this window change the setting under Allow the following users to select trusted publishers to the default which should be End Users.
for even more fixes (in case it didn't work for you), check out the site I found it off: http://www.updatexp.com/cryptographic-service.htm
thanks updatexp =D I was finally able to install 37 critical security updates... scary, eh? Thank goodness for routers/firewalls =) I'd have been doomed, otherwise.
WTF is the matter with you? Don't you know that ALL articles concerning OS problems, features, perks, discounts and fantasies are now required to start out with an obligatory SCO joke?
:)
Ok! Ok!
*Ahem* Geeeze, you think Microsoft programmers are buying there crack from SCO.
Happy?
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
Now has anybody actually made a study of how much was lost, and what statistically would be the amount you can expect to lose if you deploy M$ systems? Something like a 5% chance of losing 20 million bucks, etc.? Was just thinking this should be included in any TCO studies M$ is funding.
What did you do that can't be done with GPO?
I find it's controls are not exactly granular in their depth.