There's a newly discovered RPC buffer overflow hole in the current line of Microsoft operating systems, including Windows 2000 and Windows XP. This is just like, and just as bad as, last month's RPC hole which allowed the "Blaster" worm to enter systems. But last month's patch doesn't protect you; you need to apply today's patch. In non-technical language: This hole in Windows allows the bad guys to get into your computer and do anything to it, if it is connected to the net. You do not need to read an email or visit a web site, just being on the Internet is sufficient. Antivirus software won't prevent an attack on this hole. There is no reported worm yet using this vulnerability, but it's probably just a matter of hours, days at best. The affected ports are filtered in many places on the net after the last go-round with "Blaster," and that might offer some protection. Links: http://www.microsoft.com/security/security_bulletins/ms03-039.asp http://news.com.com/2100-1009_3-5074008.html?tag=fd_top Patch your Windows 2000 and Windows XP systems promptly, and save work for your network support people. Windows 95, 98 and ME are not affected by this problem.12 responses total.
Mac OS and Linux are not affected either.
While Windows 95/98 are not affected by this particular problem, Windows 98 users should be aware that Microsoft has ended the "free support period" for that operating system and will no longer be creating fixes for any new security problems that are found.
Get the update before its too late. This vulnerability brings you not just one buffer overflow to exploit the way the previous vulnerability, not two buffers overflows, but a wopping three bufffer overflows to go after. Plus as a bonus there is a nice little DOS thrown in. "It is a close to being the same as it can while being different" - description of one wag. One school of thought is that it will take three times longer to develop exploit code as one now has three targets to figure out the best of. The other school of thought is that with three to play with the potential of a blended attack is possible as well as since the mechanics of the first vulnerablity are well known and the source to the two major strains of the previous exploits well distributed there are now more folk working on it - million monkey theory gives us about 14 hours until the zero event. PLus the original authors of the two earlier exploits are still out there, and one seems to be a very clever fellow indeed. People are hoping that because more and more people have firewalls blocking the relevent ports this one won't be as bad. Personally, I think folk are fooling themselves. They are still vulnerable on the inside if not completely patched. Also many folk are under the misapprehension of the previous situation that patching an infested system solves the problem. Not so, the worm remains active, looking for other victims even on a patched system. I expect the same will be true for the once and future exploit when it hits. Again, get the update before it is too late. (And waiting for the weekend may really be pushing it....)
I expect severely restricted computing platforms as a result of continuing threat of Virii/worms. I guess soon people will realise that bugs will be there and so will virii/worms. Consider this: - Microsoft or any other vendor releases a critical patch every 2 weeks, lets say. - Your patch upgrade cycle takes three weeks (Think of a data centre with thousands of machines running different applications). It is not unusual for companies to test patches on test servers running different applications before the patches are applied to production servers. So we have a problem. We get patches more often than we can upgrade/patch. One solution I see emerging is TCPA/DRM. That is the computer runs only those programs that are registered with its kernel (something like good old rksh). I read some story that IBM released Linux code for a TCPA compliant platform. M$'s DRM also follows similar logic. The hard lesson these companies have learnt is: - There will always be bugs (and worms/virri) - End users aren't smart enough to protect their PCs. What this would mean is that Joe user can't open and run any executable s/he receives in email. Look at the SoBig worm. Its not self-propogating. For something like SoBig to propogate, users must do two stupid things: 1. Turn off unsafe attachment filtering in OE. 2. Download and run the exe. And this is where TCPA strikes. So a corporate admin registers, say, four or five applications with the OS Kernel. Any other code that tries to execute itself is blocked. IMHO, a good solution for the masses. The change is needed because earlier computers were used by people who were technically aware. Today more and more people who use computers are totally clueless about the insides of a PC and shouldn't have to care about them either. Managements want less downtime because of security violations. Many pro-linux zealots would like to use virus/worm infections to advocate the case of linux. But IMHO, this has, to a large extent, nothing to do with Microsoft. So in the future we will see desktops in corporates changing from a general purpose computer to a specific tool customised to the particular corporate's needs.
Re #3: I was shocked by how few people apparently have effective firewalls. The only way to get the Blaster worm was to have port 135 open to the Internet at large. There's just no good reason for that. Even the rather pathetic "IP Security" firewall bundled with Windows 2000 can easily block this after 30 seconds of configuration. That's not to say you should rely exclusively on a firewall for protection, but there's no excuse for not having one.
What do you do if a road warrior walks into his cubicle and plugs in his infected laptop?? And inside the network you can't ban these ports because they are required for file sharing.
That's a problem, certainly. Situations like this are why I said firewalls shouldn't be relied on exclusively; otherwise you're toast the first time someone finds a way around the firewall, as FirstEnergy found out at their Davis-Bessey nuclear plant. The problem can also be mitigated by keeping laptops up to date with security fixes, using antivirus software (updated regularly) on laptops, and when possible using a host-based firewall on laptops when they're connected directly to the Internet. Even better, don't let laptops communicate directly with the Internet; use a VPN (with all non-VPN traffic blocked) or direct dial-in instead. In particular, laptops that are on VPNs should *never* be allowed to do "split" routing and talk to the Internet by themselves, since that leaves the whole VPN vulnerable if someone hacks the laptop.
Yes, but unfortunately you can't stop a stupid user from connecting the laptop to a local ISP and turning off the personal firewall because it too was too *pesky*.
There are also some Office security updates that came out last week. http://office.microsoft.com/officeupdate/default.aspx (You will likely need your install CD to complete the update.)
Another problem I noticed is for home users with 56k dialup modems. How does the user download several megabytes of patches, updates and service packs? That means mostly the PCs are left unpatched and vulnerable to attacks.
Re #8: This is where you need to be backed up by written company policy. If someone repeatedly circumvents computer security procedures their job should be at risk.
grc.com has a dcombobulator patch - seriously, folks - which is the best individual solution adn may be best for business newtworks depending on their useage. even after the m$ patches, teh dcom-killer is an improvement.
You have several choices: