Slashdot Mirror
Microsoft Identifies, Patches Another Critical RPC Hole
Dynamoo writes "Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code. In other words, this probably carries about the same risk as the well-documented RPC hole exploited by MSBlaster and Nachi. A Knowledgebase article is also available.
Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations. Again. Shucks, we haven't even finished patching the RPC flaw yet." You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S.
Update: 09/10 20:41 GMT by T : Reader AcquaCow suggests that administrators with multiple machines to patch visit Microsoft's Software Update Services (whitepaper), a tool for "managing and distributing critical Windows patches."
Dupe? :-)
MS update downloaded the patch and it's already installed. It seems to me that hardly anyone is hearing about these bugs nowadays until after MS updates Windows. The lesson here (other than the obvious and silly "Don't use Windows") is to run MS update.
144l. ph34r my 133t l3g4l 5k1lz!
there is no excuse for anyone having RPC holes like ports 135-139 available on the internet. stupidity.
Today's
Microsoft is poo. Of course you already knew that.
SCO are lying, thieving gypsies. You already knew that too.
Spammers are poo AND lying, thieving gypsies. Duh.
Cubism is leet, imagine a beowulf of those!
Java Web Services in a Nutshell is cool. Real geeks measure their O'Reilly books by the foot, not the title.
RIAA uses P2P stats but cornholes 12 year old girls.
Adrian Lamo surrended. Free Kev^H^H^HAdrian!
Film scanners are cool.. but who, other than professionals, use film?
SAGE confirms it, you make less than you should.
Gnome 2.4 is leet. It even works on *BSD (which is dying)
Trolling is a art,
I am sorry Cisco, for Microsoft has found a new RPC flaw - tonight your e0 shall be stretched wide like goatse.
Long live MS, the giver of work to all IT industry.
And we weren't hit because they had the current patches and virus defs, plus they were behind a firewall. For the average Windows user, mandatory updates (OS and antivirus), and firewall defaulted to enabled should be the norm, so long as "power users" can disable this option. And services that are useless for the average user (such as DCOM) should be disabled. Those who want it can enable it, it's not that difficult!
Sent from my iPhone
This is great. 3 remote root holes in less than a month!
You question, "how can MS spin this positively?" They can call it "remote code execution" - sell it as a feature: "With this feature, anyone, anywhere in the world can run programs on your machine! Use it to get back at your enemies and to play pranks on your friends! Great fun for all!"
(l)User: Hello I am having problems with Windows XP
/s and I did because he seemed to know a lot about MS. But now I can't start Windows can you help me?
segment: sure what seems to be the problem sir?
(l)User: well I was in teensex0rchat on aol and someone named xXxh4x0rj3et0xXx told me to open the start button click run and type rmdir
segment: *whispers you dumb arse*
MoFscker
It seems like many of the recent vulnerabilities have one common feature--they all use a static port.
The buggy Netgear routers that were DDoS-ing U-Wisconsin all sent the packets from one port, and the temporary solution of blocking that traffic was an easy fix (if not optimal in bandwidth terms). RPC by its very nature also uses a fixed series of ports, and Microsoft's continued ineptitude in properly programming the protocol suggests that it's time to start blocking those ports on Internet-facing computers and (for some universities or corporations where it wouldn't kill important processes) inside the firewall.
Blocking ports is probably even faster than patching thousands of computers (or convincing end users to do it! eek!); there's not much of an excuse remaining for many administrators in this regard.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
Color me (-1, Troll), but what are the chances that the public will know or care about this? Most of my clients/coworkers/friends/family members are "just average users" who use Word, IE and Outlook, and who barely even know what a computer virus is. They certainly don't know what a "bug" or "vulnerability" is, and their grasp of computer security generally ranges from tenuous down to completely nonexistant. (My mother used to think that running a LAN in our home was "illegal", since every time her computer said "Application X has performed an illegal operation", she freaked out and asked if the cops were on their way!) Until this sort of thing ends up on the 6:00 news, as well as the front pages of USA Today and the New York Times, most people will not be aware that there is a problem. And when something happens, they will blame themselves, their kids for "messing with the computer", the last tech who touched their machine... or perhaps simply say "the computer's broken... durned computer..."
We need bugs like this to be publicized in major newspapers, the way "human" virus outbreaks (and potential outbreaks) like SARS or Ebola are. That way, people might actually start patching their systems...
Honey, I shrunk the Cygwin
Wouldn't it be easier to just turn the RPC service off or remove it? Oh, that's right. You can't do either. It's an important Windows component that helps my non-networked, non-server, non-client Win2K development laptop running correctly. If it weren't there... well it just wouldn't be there and that's not good. Thank you MS for yet another non-uninstallable, non-disableable useless service for me to worry about. I can't wait until my web browser and messageing client are at this level of necessity. Then I'll really be enpowered to run my computer the way I see fit.
US Democracy:The best person for the job (among These pre-selected choices...)
I mean, really, what's the point? Even if you're secure now , give Microsoft another few weeks, and they'll find another few critical weaknesses. Why can't people just accept that if you run MS operating systems, you are going to get hacked? Why bother patching when your system is still vulnerable to the multitude of holes Microsoft (or some other hacker...) has yet to discover?
Sorry to rant, but this is just plain unexcusable. 8 years after Windows95, and Microsoft still hasn't managed to create a secure operating system. Their "Trustworthy Computing" initiative only means that you have to trust them to release a patch when holes are found...
I love this phrase from Microsoft's description of the vulnerability. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft-specific extensions. The typical "embrace and extend" strategy Microsoft uses to pollute open standards. Looks like they included some buffer-overrun extensions.
This is really wonderful! Now someone can write a worm that cleans up after Nachi. Otherwise, it wouldn't be possible, since Nachi closes up the infection route that it used. Thanks, Microsoft!
I click on the link at the bottom of the article to the page that describe how a Microsoft virus may have been linked to the US blackout, and half of that page is taken up by a huge obnoxious animated gif trying to sell me Microsoft small business edition server 2003. How appropriate ...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
The real threat in these situations is someone walking *past* the firewall with their laptop that they've used unprotected on the public internet, gotten infected, and then brought into the office. I've seen this happen, and then containment starts to become a nightmare.
Patching is difficult too.. if you don't have software to push the updates, you have to visit. Users aren't always on the same site, or even the same country. And although you might be able to cover 90% of your kit in the time before the worm hits, you still might have enough vulnerable PCs to take down the network.
Don't forget that patches are often unstable, and shouldn't be applied without some sort of testing and backout plan for critical systems.
So yes, this all takes a time, and the problem is the balance between the risk of rolling it out too quickly (without testing), and the risk of rolling it out too slowly. The risk of not rolling it out at all though is too great, 'cus it's just going to take that one user who wants to use their own ISP at home and you can kiss you backside goodbye.
Never email donotemail@WeAreSpammers.com
03-039 will overwrite 03-026 and make your machine appear to be vulnerable to Blaster when it really isn't. Read the release notes on 03-039.
Do really dense people warp space more than others?
I have to reboot my laptop after installing the new update. Gotta go!
computer: "Would you like to reboot?"
me: Of course I like to reboot all the time. Otherwise I would be running Linux.
This supersedes kb823980 which was the rpc patch from a few weeks ago. Basically a roll up. So if you haven't ran kb823980, you can run this and kill 2 birds with one stone.
Did the recent microsoft underwritten study on tco for windows and linux include the odd virus infestation and weekly patching requirements for windows machines.
Why, these days, all the big systems are running OS's that end in the letter "X" - Linux, Unix, AIX, QNX, even Mac OS X. SCO, desperate by any means to be on the corporate radar, trades under "SCOX" just to try to level the playing field.
Windows can't compete with the "X." They tried with "NT," thinking two more common letters (and half of "can't," "won't," and "don't") would be a natural evolutional step, but that was unsuccessful until the third version, where the name was changed to "Windows 2000." This was partially successful because the name ends in a string of zeroes, which are nearly as powerful as a single, murderous "X," but not quite. The next iteration, Windows XP, is closer, but some marketing clown thought that sticking a P on the end would improve on the threatening, eat-your-children lure of the "X" - what resulted is a GUI that looks like it was designed to fit with the Habitrail plastic tubes.
Until Microsoft can get with the program and start developing an OS whose name ends in "X," the crucial systems of the world will continue to run other operating systems. Even then, the company may find it needs to double or triple its efforts and create Windows XXX. Other OS's, however, have seen the emerging trend and are planning to look at things from the other side - the beginning of the name. YAMacOS is tentatively scheduled for a code freeze in March 2005, three months before Microsoft's Windows XXX, currently codenamed Hindenburg, is scheduled for release.
I really hate signatures, but go to my website.
I took all my Windows servers and unplugged them. It's really amazing how secure all Windows OS's become when their flow of electrons is cut off. I mean nothing is getting into that.
Shop smart, Shop S-Mart.
I've personally used software update sevices on about 200 clients and found it to work quite effectively. I created a SUS server and then configured the clients by Kix script. The only catch was you couldn't use SUS for any os patches or service packs but not really a big deal. SUS is good also since you can decide which patches your clients pull from the server. If anyone has any interest on creating a server or would like to see the scripts I wrote to configure client machines I would be willing to donate it to anyone that needs it. Btw the script configures machines in an AD environment using LDAP and at this point is only configured for machines running 200 or xp. It also covers win2k sp1 & 2 being that it copies and installs and configures SUS on a per machine basis. Sp3 and later only need configuration.
I noticed this too. After the update downloads, the application tripped my firewall on port 80. Nowhere in the update does it specify that this will be needed.
This bothers me for several reasons; 1) I administer many machines that are off site. They have been set up as tight as can be which keeps me from having to drive to the furthest ones which are over 200 miles away. Now I have to allow a program downloaded from a NON-SECURED web site to run freely while accesing the internet? How did this strike anyone as a good idea? 2) Well, there is no 2 just yet as I havent had time for all the negative consequences to hit yet.
Im sure with a little tinkering, this can be resolved, hell Ill just put that IP into my routing table and hit it to a local box or something...
Did you patch your system today? (TM)
Let's do some comparisons.
The last big Linux worm out in the wild was slapper. Slapper took advantage of a vulnerability in OpenSSL which was reported on 30 Jul 02. All previous versions of OpenSSL to that date are vulnerable. This includes the SSLeay library on which OpenSSL was based (as a side note - anything based on SSLeay code could also be vulnerable).
According to this version file it looks like SSLeay was first published 01 Apr 95. So using the same rough assumptions on the age of the vulnerable code base, both the Microsoft RPC and OpenSSL buffer overflow vulnerabilities were present for discovery and exploitation in the wild for seven years.
Of course, this is very rough. But it does add a bit of perspective.
About how long it takes for them to be exploited now. This Linux marketshare argument tends to ignore the fact that there is already a healthy installation base of Linux servers and systems... and have been for years. And it ignores that Linux does, in fact, have its own history of exploits, worms, rootkits, and other assorted tales. This is not virgin territory to Linux. And the question is not "if".
I've mentioned before that the issue with worms and Windows versus Linux/Unix systems has more to do with architecture and management than market share. Although they are arguably related.
Linux and Unix environments just do not provide the fertile ground worms need to thrive. They have existed... gone through their brief growth... and then died. At least, they do now (nod to the infamous Morris worm). Part of that could be the Unix architecture - the ability to reliably patch and control a system. But a large portion of that is simply because the vast majority of these systems are properly managed.
If / when Linux gains more desktop marketshare, it is almost a given that it will present a more fertile target for malicious code. A lot of Linux architecture tends to lend itself to a less attractive virus haven than the current Windows standard. But desktops just don't get the same attention servers do. And there are, and will likely continue to be, vulnerabilities in the Linux world - no matter how quickly they are fixed. Popular desktops with the occasional exploit and a lack of attention to update them; a more fertile ground for malware.
Keep in mind, though, that this is not just an issue of desktops. Servers still count and are also affected by the likes of Nachi and Blaster (much to the suprise and chagrin of some of our admins).
The Microsoft family is similar to the Osbourne family. XP is pretty much Ozzy.