From: Aron Roberts (aron_at_socrates.berkeley.edu)
Date: Wed Sep 10 2003 - 14:33:48 PDT
At 10:35 -0700 2003-09-10, John E. Weber wrote:
>Looks like this could be just as bad as the last one:
>
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp
At 10:51 -0700 2003-09-10, John Ives wrote:
>Yes, boys and girls, we are going to do it again!
A ZDNet article <http://zdnet.com.com/2100-1105_2-5074008.html>
summarizes these newly-identified buffer overrun vulnerabilities,
which affect Windows NT 4.0 through Windows Server 2003:
>The vulnerability revealed Wednesday is similar in nature [to the
>vulnerability exploited by Blaster/Welchia - Aron] and in its
>potential for damage, but it affects the RPC function differently.
>
>"It is a different vulnerability, but they have the same impact, and
>they affect the same ports," said Stephen Toulouse, security program
>manager at Microsoft's Security Response Center. "In terms of
>impact, it is the same."
There is now a combined critical update (patch) which incorporates
and supersedes the previous patch for the RPC DCOM vulnerabilities.
(Yes, the patch already installed on thousands of campus PCs has now
been identified as providing only partial protection ...) And, as my
colleague Karl Grose mentioned on the ucb-security list, below,
Microsoft has also released a new scanning tool for determining which
PCs need to be updated with the new patch.
One item of concern: the Microsoft Security Bulletin that John
referenced, above, states that certain Windows PCs may be vulnerable
to attacks using ports 80 (HTTP) and 443 (SSL), as well as at the set
of four UDP ports and four TCP ports previously identified as
vulnerable:
>This particular failure affects the underlying RPCSS Service usedx
>for DCOM activation, which listens on UDP ports 135, 137, 138, 445
>and TCP ports 135, 139, 445, 593. Additionally, it can listen on
>ports 80 and 443 if CIS or RPC over HTTP is enabled.
Blocking these two ports may prove more challenging than blocking
the previous set of ports. Hopefully the numbers of campus PCs
running the affected OSes which have Microsoft's "COM Internet
Services or RPC over HTTP" package installed will turn out to be
fairly limited. We'll see ...
One other tidbit from the Security Bulletin: the integral software
firewall (Internet Connection Firewall) in Windows XP and Server 2003
is configured by default to "block inbound RPC traffic from the
Internet" -- at least on ports other than 80 and 443.
Aron Roberts
Workstation Software Support Group
P.S. One perspective from the aforementioned ZDNet article:
>Mike Cherry, an analyst for research firm Directions on Microsoft,
>said that although weekly disclosures of new software
>vulnerabilities may be hard on Microsoft's image, they represent a
>new attitude about security.
>
>"It would be nice to go a couple of weeks without there being a new
>security bulletin," he said. "But one of the things they promised
>with Trustworthy Computing was to do bulletins on a regular basis
>and deliver better patches, and they've followed through on
>that...The old way was to try to ignore everything and hope security
>wouldn't be a problem."
--
At 10:47 -0700 2003-09-10, Karl R. Grose wrote:
>
>On Wednesday 10 September 2003 10:31, Graham A. Patterson wrote:
>
>> ...and Microsoft's own KB823980scan.exe reports 'vulnerable' after the
>> recent update.
>
>That tool has been replaced as well. See the appended excerpt from the
>Security Bulletin.
>
>--Karl
>
>======= [from MS03-039] =======
>
>Microsoft has released a tool that can be used to scan a network for the
>presence of systems which have not had the MS03-039 patch installed. More
>details on this tool are available in Microsoft Knowledge Base article
>827363. This tool supersedes the one provided in Microsoft Knowledge Base
>article 826369. If the tool provided in Microsoft Knowledge Base Article
>826369 is used against a system which has installed the security patch
>provided with this bulletin, the superseded tool will incorrectly report that
>the system is missing the patch provided in MS03-026. Microsoft encourages
>customers to run the latest version of the tool available in Microsoft
>Knowledge Base article 827363 to determine if their systems are patched.
>
>=======
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Wed Sep 10 2003 - 14:36:39 PDT