New Remote Root Exploit for Windows - PATCH YOUR BOX!! [Sticky plz]

[NogginBoink]

Originally posted by: glugglug
FYI:

The ports/services this exploits are THE SAME AS MS BLASTER it is essentially the same hole. They didn't make the patch right the first time. Or the second time. I bet they didn't get it right this time either.

This is simply untrue and reeks of ignorance. They are two different exploits in the same binary.

 

[NogginBoink]

Originally posted by: AzNKiD
so whats the answer, do we need to install both patches to be safe or can we just patch with this newest one? i only patch the very very important ones, which this RPC is consider to be. i am more of the dont fix whats not broken, but with what happen last month, i will do this patch.

You only need the newer one.

The blaster fix had these files:
rpcss.dll ver 5.0.2195.6769
rpcrt4.dll ver 5.0.2195.6753
ole32.dll ver 5.0.2195.6769

The new fix has these files:
rpcss.dll ver 5.0.2195.6810
rpcrt4.dll ver 5.0.2195.6802
ole32.dll ver 5.0.2195.6810

Because the new fix contains all of the files as the old fix and has higher version numbers, the new fix includes the blaster fix.

(The information was taken from the KB and is for W2K versions of the files.)

 

[NogginBoink]

Before the "This email is a hoax!" threads start, you may be receiving an email from Microsoft. The text of the email (at least, the version that I have) is below. I have verified beyond a shadow of a doubt that this text comes straight from Microsoft. If you wish to verify this for yourself, go to http://support.microsoft.com and look up the 1-800 telephone number(s) for Microsoft support and talk to Microsoft yourself.

Dear Valued Microsoft Customer,

We are contacting you today to make you aware that we have released Microsoft Security Bulletin MS03-039 today, September 10, 2003. This bulletin details three critical vulnerabilities in the Windows operating system and provides instructions for applying the corresponding patch. While there is currently no active exploit of this vulnerability, if successfully exploited, these vulnerabilities would allow an attacker to gain control of the target system.

We strongly encourage you to obtain and deploy this patch to any affected system that connects to your network; this includes systems on your local area network and remote or mobile systems. For the most current information on affected systems and recommended remediation steps, please read the bulletin posted at: http://www.microsoft.com/technet/security/bulletin/ms03-039.asp

We understand the potential effect this situation and the recommended remediation steps may have on you. Microsoft is committed to providing you with information and tools to help run your enterprise safely and reliably on an on-going basis. When we become aware of vulnerabilities, it is our goal to quickly share protection and remediation information and work in partnership with you to eliminate these kinds of threats to your business. In order to help protect your computing environment from security vulnerabilities, we strongly encourage you to visit http://www.microsoft.com/technet/security/protect and implement the following three steps in your enterprise:

1. Verify firewall configuration. Audit Internet and intranet firewalls to ensure they comply with your security policy; these are your first line of defense. In addition, evaluate using host-level firewalls such as the Internet Connection Firewall in Windows XP. This is especially important for systems such as laptops and home PCs that connect to your network remotely.
2. Stay up-to-date. Use update services from Microsoft to keep your systems up-to-date.
· Automatic Updates, available on Windows XP, Windows 2000 SP3 and SP4, and Windows Server 2003. Automatic Updates works with the Windows Update Web site to automate the process of updating Windows systems.
· Software Update Services (SUS), a patch-distribution server available for download from our Web site. SUS enables you deploy a server in your business that Automatic Updates clients will use to get only approved and tested patches.
In addition to using these update services, we strongly recommend that you subscribe to Microsoft?s free security notification service at http://www.microsoft.com/securitynotification, so that you are proactively kept aware of new security issues.
3. Use and keep antivirus software up-to-date. Antivirus software programs will help protect your systems against many viruses, worms, Trojan horses, and other malicious code. To protect your systems from new viruses, it?s also important to obtain up-to-date antivirus signatures through a subscription service from the antivirus software vendor. You should not let remote users or laptops connect to your network unless they have up-to-date antivirus software installed. In addition, consider using antivirus software in multiple points of your computer infrastructure, such as on edge Web proxy systems, as well as on email servers and gateways.

You should also protect your network by requiring employees to take the same three steps with home and laptop PCs they use to remotely connect to your enterprise, and by encouraging them to talk with friends and family to do the same with their PCs. To make this easier, we have set up a new Web site to assist PC users at http://www.microsoft.com/protect.

Again, we want to encourage you to read this security bulletin and deploy the patch to your systems. We want to thank you for your patience and work with you to protect your business from these kinds of security threats.



Thank you,

Microsoft Corporation

 

[spidey07]

Originally posted by: Lestan

Originally posted by: spidey07

Now imagine a decent sized enterprise network - 1000s of routers, 1000s of networks, 10s of thousands of PCs, 1000s of servers, 100s of connections to other ASs and networks beyond your administrative control, 100s of access interfaces into your network and all it takes is one slip, one ip route that you didn't watch, one sucessful scan for a worm to spread utterly rampant. Please see the forest for the trees.

This crap has to stop. And all you yahoos saying "what are you worried about, all you need is a firewall" are fvcking clueless.

Actually the clueless ones are the old skool thinkers like yourself. How many worms is it going to take before the average Systems Engineer earns his or her title and rethinks how corporate networks are laid out? Each department needs to be VLAN'd and EACH workstation should have a stateful inspection firewall. Properly managed distributed firewalls WILL protect an internal network from most worms, and although Mr. DerwenArtos12 is only managing a simple home network, he has the right idea in firewalling EVERY device. It drives me crazy when Mr. Spidey07's think they know it all and put down simple concepts when it IS the simple concepts that can solve the larger problems.

So do me a favor and google "distributed firewall white paper" then get back to me about how fvcking clueless we all are.

Don't just patch your computers, fix your networks.

Every computer does run a personal firewall and is centrally managed. Every floor of every building on campus is indeed a separate VLAN but that doesn't matter to a worm. There's also a sinkhole router catching all the scanning in addition to IDS and firewalls on all the access points like VPN, dial-up, partners, etc.

OH, and windows kind of needs RPC to fuction so how would a personal firewall help?

 

[SagaLore]

Originally posted by: NuclearFusi0n

Originally posted by: SagaLore
Wait a minute!

This is the same RPC exploit that Blaster took advantage of!

NuclearFusi0n, August just called and they want your post back!

edit: Awww crap, it's a revision... oh well, time to patch the network.. again...

Owned called; it's seizing your post.

😀

 

[glugglug]

Originally posted by: spidey07
OH, and windows kind of needs RPC to fuction so how would a personal firewall help?

It lets you block netbios & samba ports from any IP that does not need to map a drive to or remotely manage your box.

Windows needs RPC to localhost to function (and to the domain controller if you are using one), but if the infection attempts are coming from localhost you are already infected anyway (duh).

 

[HoosierDadE]

Originally posted by: PG

Originally posted by: rh71
MS prob doesn't support WIN98 anymore so that's why it's not listed (or did I miss it) ... but does it affect 98 ?

No, just affects the most secure OS Microsoft ever made.

Yeah, just my luck. I have the best car Yugo ever made and the most secure OS MS ever made......sigh

 

[Shelly21]

I had to work from home, (for 4 hours extra) to patch 423 servers. 20-40 at a time using Norton System Center.

Right now, I'm running StealthAudit to make sure they're patched.

I'm glad I get overtime... Management is paying for lunch tomorrow..... Chinese.... 🙂

 

[friedpie]

I was just watching Call For Help on TechTV. They said the latest Microsoft patch is bogus. They recommend going to GRC and getting this program which turns off DCOM altogether. I guess most home users don't need this silly DCOM.

 

[NogginBoink]

Originally posted by: friedpie
I was just watching Call For Help on TechTV. They said the latest Microsoft patch is bogus. They recommend going to GRC and getting this program which turns off DCOM altogether. I guess most home users don't need this silly DCOM.

You can't be serious. Score 1 for irresponsible journalism.

Edit: *sigh* You are serious. It's right here: http://www.techtv.com/callforhelp/shownotes/story/0,24330,3516136,00.html

This really pisses me off.

 

[bandana163]

Got it ~15h before, but thanks for the sticky.

 

[Lestan]

Originally posted by: glugglug

Originally posted by: spidey07
OH, and windows kind of needs RPC to fuction so how would a personal firewall help?

It lets you block netbios & samba ports from any IP that does not need to map a drive to or remotely manage your box.

Windows needs RPC to localhost to function (and to the domain controller if you are using one), but if the infection attempts are coming from localhost you are already infected anyway (duh).

Exactly. Windows workstations do NOT need RPC open to all on the network. I should have said "properly configured personal firewall" in my post, but I figured that was a given.

 

[AkumaX]

whao i dont know what this patch did but it just made my internet REALLY slow

 

[MrYogi]

The patch screwed up my computer. 🙁 I am not able to open most of the websites.

 

[spidey07]

Originally posted by: Lestan

Originally posted by: glugglug

Originally posted by: spidey07
OH, and windows kind of needs RPC to fuction so how would a personal firewall help?

It lets you block netbios & samba ports from any IP that does not need to map a drive to or remotely manage your box.

Windows needs RPC to localhost to function (and to the domain controller if you are using one), but if the infection attempts are coming from localhost you are already infected anyway (duh).

Exactly. Windows workstations do NOT need RPC open to all on the network. I should have said "properly configured personal firewall" in my post, but I figured that was a given.

shutdown port 135 and 445 via a firewall and then tell me how well the active directory is doing (file sharing, group policy, file replication). That's the biggest problem is every PC needs these ports.

-edit- PC group also uses XP remote assistance. This also uses RPC and port 135.

 

[NogginBoink]

Originally posted by: MrYogi
The patch screwed up my computer. 🙁 I am not able to open most of the websites.

I seriously doubt the patch caused the problem. What *other* changes have you made since the last time you booted your computer?

To the best of my knowledge, IE doesn't use RPC. Nor does the TCPIP stack or the network card drivers.

 

[Joemonkey]

ok act like i'm 2 years old when you answer this question

If you are behind a router with NO ports forwarded on ANY pcs, what are the chances of getting these worms (not counting from email)??

 

[friedpie]

Originally posted by: NogginBoink

Originally posted by: friedpie
I was just watching Call For Help on TechTV. They said the latest Microsoft patch is bogus. They recommend going to GRC and getting this program which turns off DCOM altogether. I guess most home users don't need this silly DCOM.

You can't be serious. Score 1 for irresponsible journalism.

Edit: *sigh* You are serious. It's right here: http://www.techtv.com/callforhelp/shownotes/story/0,24330,3516136,00.html

This really pisses me off.

I have no idea what that first comment was all about, but I'm glad you were able to have a change of heart.

 

[friedpie]

Originally posted by: MrYogi
The patch screwed up my computer. 🙁 I am not able to open most of the websites.

Things are slow for me today too. It might be related to some stupid hacking that was supposed to take place today in relation to this security bug, I think.

 

[spidey07]

Originally posted by: friedpie

Originally posted by: MrYogi
The patch screwed up my computer. 🙁 I am not able to open most of the websites.

Things are slow for me today too. It might be related to some stupid hacking that was supposed to take place today in relation to this security bug, I think.

Give it about two weeks for the worm to be released.

 

[ILikeStuff]

Originally posted by: ndee

Originally posted by: MercenaryForHire
/checks firewall
/notes rule blocking outside RPC access

What vulnerability? 😛

- M4H

if it launches a a DDOS attack and someone at your company comes in with a notebook, have fun 🙂

Yeah, we jsut learned that one the hard way. jsut had a 12+ hour day getting rid of that damn Welchia bug and patching our vulnerable computers

 

[Kev]

well, every time i try to install SP1, my mouse stops working. oh well, guess i'll be vulnerable

 

[Lestan]

Originally posted by: spidey07


shutdown port 135 and 445 via a firewall and then tell me how well the active directory is doing (file sharing, group policy, file replication). That's the biggest problem is every PC needs these ports.

-edit- PC group also uses XP remote assistance. This also uses RPC and port 135.

Son, I recommend you research your facts before you try to sound knowledgeable. Remote Assistance uses the RDP protocol over port 3389, not the RPC port.

And don't be silly, you don't shut down 135. You do know that firewalls can permit traffic to only certain IP's, right? You open all neccessary ports from the nodes to the DC's only. Active directory and GPO's will work just fine. The goal with the personal firewall is to prevent node-to-node communication. Not sure why you mentioned 445 (SMB) because this vulnerability does not affect that port, but to be safe you should only enable that on the server side anyway. Unless you are doing filesharing from all of your workstations, in which case you have major topology issues and worms are the least of your problems. The server/workstation model should follow a star topology, and you can do this with distributed firewalling. Workstations that talk to all other workstations are not following any topology at all, and that's what allows worms and viruses to propogate so easily.

 

[spidey07]

If you run a trace of remote assistance you'll see RPC port 135 being used.

Just run some traces and block port 135. The only reason I'm trying to sound knowledgible is because I had my engineers follow the recommend "block port 135 and port 445 and netbios ports" on firwalls that separate networks.

Well you now what port 137 broke.
And what 445 broke.
I'm trying to explain what blocking port 135 will break (because the engineers did traces on all these windows activity and showed they were failing because 135 was denied)

-edit- about ports other than 135, I was referring to the actual microsoft security builliten.

Block UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593 at your firewall and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected systems.
These ports are used to initiate an RPC connection with a remote computer. Blocking them at the firewall ,will help prevent systems behind that firewall from being attacked by attempts to exploit these vulnerabilities. You should also be sure and block any other specifically configured RPC port on the remote machine.
If enabled, CIS and RPC over HTTP allow DCOM calls to operate over TCP ports 80 (and 443 on XP and Windows Server 2003). Make sure that CIS and RPC over HTTP are disabled on all the affected systems.
More information on how to disable CIS can be found in Microsoft Knowledge Base Article 825819.

For information regarding RPC over HTTP, see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp.

 

[Pseudodominion]

Originally posted by: Regs

Originally posted by: fivespeed5
$%@$ seriously time to finally put linux on my laptop

So when everybody converts they'll start making exploits on linux...makes sense.

*Goes to patch yet again .

Very well said. That is the main point I think people miss when they start blabbing about how insecure windows is. My feelings are that windows is just the target. Whats the point in making a virus or exploiting a weakness in Linux? Your not gonna hit too many people. I think if roles were reversed and Linux was the most common OS then we would all be patching our Linux OS's on a regular basis as well.