Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Microsoft

Microsoft Identifies, Patches Another Critical RPC Hole 604

Dynamoo writes "Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code. In other words, this probably carries about the same risk as the well-documented RPC hole exploited by MSBlaster and Nachi. A Knowledgebase article is also available. Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations. Again. Shucks, we haven't even finished patching the RPC flaw yet." You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S. Update: 09/10 20:41 GMT by T : Reader AcquaCow suggests that administrators with multiple machines to patch visit Microsoft's Software Update Services (whitepaper), a tool for "managing and distributing critical Windows patches."
This discussion has been archived. No new comments can be posted.

Microsoft Identifies, Patches Another Critical RPC Hole

Comments Filter:
  • BOHICA (Score:5, Funny)

    by pheared ( 446683 ) <kevin.pheared@net> on Wednesday September 10, 2003 @03:41PM (#6924655) Homepage
    Dupe? :-)
  • by DavidBrown ( 177261 ) on Wednesday September 10, 2003 @03:42PM (#6924661) Journal
    MS update downloaded the patch and it's already installed. It seems to me that hardly anyone is hearing about these bugs nowadays until after MS updates Windows. The lesson here (other than the obvious and silly "Don't use Windows") is to run MS update.

    • by pheared ( 446683 ) <kevin.pheared@net> on Wednesday September 10, 2003 @03:44PM (#6924698) Homepage
      Unless you are one of the poor suckers, er, I mean System Admins who has to maintain some Winboxes.

      It's not like MS has had a perfect track record with stable, non-machine crashing updates.
      • From the slahdot header:
        Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations.

        Shouldn't that have been:
        Given the experience of former RPC exploit, this probably gives administrators who don't know what they are doing a couple of weeks to ignore this patch for all the systems in their organisations.

        • by Anonymous Coward
          I realize this is a joke, but I'm kind of tired of seeing it on here. I ran Windows Update on 3 Win2k servers before msblast. 2 of them were patched properly, the 3rd wasn't patched at all. I just ran it on all 3 again, and 2 found patches that needed installed while the 3rd said it was up to date. Running it again found the patches I needed for the 3rd one.

          Given the "oh so helpful" descriptions of MS Patches ("This patch fixes a security hole which allows remote execution of code") and the sheer volum
          • by Tony-A ( 29931 ) on Wednesday September 10, 2003 @06:15PM (#6926168)
            Hehe. Hehe. Sorry, but you can laugh or you can cry. Laughing's better.
            Russian roulette with Microsoft patches. Sorry, I gave up that game 2-3 years ago. I feel safer on my unpatched NT Workstation (with a few tweaks so it doesn't run worms/viruses so good anymore).

            Given the "oh so helpful" descriptions of MS Patches ("This patch fixes a security hole which allows remote execution of code") and the sheer volume of them, it's a lot harder than most people think to keep boxes up to date.
            If the description said what was fixed, and what files were replaced to fix it, and what those replacement files were, exactly, then you would at least be able to determine if the patch "took" or not. By withholding that information, the patches look like they work, whether or not they actually did anything. It's essentially impossible to unpatch if necessary.

            Running it again found the patches I needed for the 3rd one.
            If at first you don't succeed, try try again. ;-)
            Gives a lot of faith in their update process, eh wot? [bad attempt at Brittish humor]

      • by bigjocker ( 113512 ) * on Wednesday September 10, 2003 @04:08PM (#6924994) Homepage
        I installed this [mandrakelinux.com] patch instead!!!

        It never gets old ....
    • by pmz ( 462998 ) on Wednesday September 10, 2003 @03:46PM (#6924725) Homepage
      The lesson here (other than the obvious and silly "Don't use Windows") is to run MS update.

      Windows Update is a mixed blessing where each time it is run the user is gambling that it won't break his system. The safest route with Windows is: install the OS and applications and then leave it alone for maximum stability. Then, put the damn thing behind a non-Windows firewall or leave it disconnected from the Internet entirely.
      • by JesseL ( 107722 ) on Wednesday September 10, 2003 @03:54PM (#6924824) Homepage Journal
        That's great if you totally trust all your users and aren't concern about local exploits.
      • by Kibo ( 256105 ) <naw#gmail.com> on Wednesday September 10, 2003 @03:58PM (#6924882) Homepage
        Wouldn't you then run the risk of a dual use machine like a PDA or a laptop bringing in a worm and crushing the soft pink nakked interior of the network within your boarders?

        And wasn't security by wishful thinking the impetus for the problem to begin with?
      • by Xerithane ( 13482 ) <xerithane AT nerdfarm DOT org> on Wednesday September 10, 2003 @04:00PM (#6924903) Homepage Journal
        Windows Update is a mixed blessing where each time it is run the user is gambling that it won't break his system.

        This happens incredibly infrequently, especially considering the amazingly large amount of systems that run Windows.

        I use Windows Update consistently for my Windows box, and it works great and reliably. The FUD surrounding the "user is gambling" anecdotes is amusing though. I can only remember them releasing one patch that was truly borked.

        But, if you believe the safest route to Windows is to leave it unpatched behind any firewall I hope you are never in charge of any networks. I'm sure even your non-Windows machines are amazingly insecure and waiting to be exploited.
        • by afidel ( 530433 ) on Wednesday September 10, 2003 @04:15PM (#6925064)
          NT4-SP4, NT4-SP6, and about a dozen hotfixes half of which couldn't be rolled back. MS DOES release dodgy patches, about one a year, and a lot of the time they can't be undone so you have to ghost the drive and start all over.
          • You forgot the infamous NT4-SP2, which broke more than it fixed.

            Must be related to the star trek movies some how, I see a pattern here..
          • by Hecubas ( 21451 ) on Wednesday September 10, 2003 @05:06PM (#6925582)
            Yes, those were some doosies, but then again you're talking NT. However, I'm pretty sure MS Software Update Services (as in the package for sysadmins to distribute patches, as mentioned in the summary) does not automatically install Service Packs. I've got about 40 Windows 2000 workstations automatically updating with SUS and they are still on SP3. On top of being configured with SUS, you can control what patches get rolled out to your organization by manually approving the updates. Seems to work for those who like to test before rolling out changes.

            --
            hecubas
        • by arkhan_jg ( 618674 ) on Wednesday September 10, 2003 @04:42PM (#6925343)
          I've been bitten three times by windows security patch problems. The first was the NT4 sp6/sp6a debacle. The second, much more insidious, was the problem caused with the windows xp hotfix that caused a significant slowdown.

          The last, and most problematic for me to track down, was not strictly a microsoft fault, but is still relevent.

          We run a ~200 machine windows 2000 client network. We also run a couple of virtual CDROM servers. Upgrading to service pack 3 a while back seemed to work fine, when I rolled it out with ghost with a batch of other updates, everything seemed fine. After a few weeks though, I noticed there were a lot of problems being reported with the machines locking up periodically. After much digging and testing, it turns out the client software for the virtual CD's had a bug on SP3.

          Yes, it was a bug in a third party application. But still, you can see why smart admins with big networks prefer to test patch rollouts rather than run every workstation with automatic updates enabled. Even if the patch doesn't break windows, it may well break something else that runs on it.

          Still, patches need to be rolled out eventually. Laptops will happily infect any system relying on firewalls alone.

          I still blame microsoft for writing code that so easily allows net-based root exploits though, that means we have to patch so damn much.
        • by Anonymous Coward
          When you finish high school and pursue a career in IT, you'll have a chance to learn firsthand about the long and well documented history of Microsoft patches breaking systems. And if you get to be one of the lucky ones to apply such a patch, you'll also see, firsthand again, how a business can be brought to its knees.

          My guess is that you'll find it Real Hard(tm) to decide what's worse: feeling angry about being fired, feeling angry toward Microsoft, feeling incompetent, feeling bad for ruining the work
        • by frozenray ( 308282 ) on Wednesday September 10, 2003 @05:34PM (#6925810)
          This happens incredibly infrequently, especially considering the amazingly large amount of systems that run Windows.

          I use Windows Update consistently for my Windows box, and it works great and reliably. The FUD surrounding the "user is gambling" anecdotes is amusing though. I can only remember them releasing one patch that was truly borked.
          Where I work, this [microsoft.com] baby nearly slipped through QA (the error only occurs on certain levels of the Compaq RAID firmware, and the three original test servers had a newer revision of the firmware). Good thing one of the guys in QA (bless him) decided to do a little additional testing (and we use a staggered deployment scheme anyway), or we could potentially have faced 400 BSODing production servers.

          The fact that WU works fine for your single box (as it does for mine) unfortunately says nothing about the regular deployment of patches in a 36'000 seat / 800 server corporate network such as ours, even if stringent QA procedures are in place. Keep in mind that security fixes mean tighter security settings and that those can lead to application problems which can be very hard to find without an inordinate amount of QA.

          And by the way, SUS 1.1 might be fine for a small to medium network, but falls miserably short for large installations. We're praying that 2.0 will be better suited to our purposes because handling the pressure from the IRT case manager (who wants to deploy every fix immediately) and production (who doesn't tolerate downtime due to patch distribution) is not fun at all.

          Last but not least: having things like DBMS file systems in future OS releases might be cool - but we can live without them. Me, I'd settle for an OS with less bugs and security holes, thank you very much.
      • by Florian Weimer ( 88405 ) <fw@deneb.enyo.de> on Wednesday September 10, 2003 @04:01PM (#6924913) Homepage
        Windows Update is a mixed blessing where each time it is run the user is gambling that it won't break his system.

        At least Windows Update doesn't have this big fat warning that Office Update displays before you can download any patches. It basically says that the update might deliberately break your Office installation if you've got an illegal copy.

        No wonder most people hesitate to install these upgrades.
        • by Lshmael ( 603746 ) on Wednesday September 10, 2003 @04:53PM (#6925454) Homepage
          If you have read the Windows Update EULA, you would realize that if you have an illegal copy, you have no rights. Examples here [microsoft.com] and here [theregister.co.uk].

          That said, I do not think that most people that do install upgrades do so because they have illegal copies. They are simply blissfully ignorant of the possible consequences, seeing viruses, trojan horses, and worms as simply bad luck. When so afflicted, they simply say, "I hate computers," not realizing that it was all avoidable.
      • by bmajik ( 96670 ) <matt@mattevans.org> on Wednesday September 10, 2003 @04:20PM (#6925126) Homepage Journal
        All things considered, _you_ are better off running windows update. Your "safe route" is a terrible idea. How does your firewall protect against an IE vuln, where your unaptched machine uses IE to request a page with malicious code in it ?

        Ooops.

        Patch your machines, or, let automatic updates do it for you.

    • by Col. Klink (retired) ( 11632 ) on Wednesday September 10, 2003 @03:48PM (#6924748)
      In some places, we actually test that all of our critical applications will continue to run after applying patches to the OS rather than just blindly applying every patch and hoping nothing breaks.
    • by sould ( 301844 ) on Wednesday September 10, 2003 @03:48PM (#6924756) Homepage
      The lesson here (other than the obvious and silly "Don't use Windows") is to run MS update


      All very well for your little toy box, but you shouldn't assume that a solution that works for you at home will scale up to a production environment.


      Windows update breaks things. Unexpectedly and unpredictably.

    • by FearUncertaintyDoubt ( 578295 ) on Wednesday September 10, 2003 @03:53PM (#6924809)
      And anyone who has ever been burned by a MS patch that caused more problems than it prevented will tell you that you should never be the first guy to install a Windows patch.

      The reality that BillG refuses to acknowledge in his public statements is simply that you cannot "just install the patch" in an enterprise environment. It takes time. Time to evaluate the risks of installing vs. not installing, time to test (and resolve any issues that come up), time to develop a deployment plan, time to actually implement the deployment plan, and time to audit and follow up with everyone who 1) has somehow avoided installing it, 2) is a dial-up user and can't download it easily, 3) had their machine utterly crash after the patch was applied.

      Don't blame sysadmins. Blame MS for releasing patches which step on the heels of the deployment of the previous critical update. When a new patch comes out every 2 weeks, and a deployment may take 3 weeks, you've got a problem.

    • by EvilStein ( 414640 ) <spamNO@SPAMpbp.net> on Wednesday September 10, 2003 @03:53PM (#6924811)
      No, that's not the lesson. The lesson should be "Make www.microsoft.com/security" your homepage. :P

      Windows Update can really break stuff. Example: Compaq Evo n600 laptops with our Windows 2000 build. That ATI driver that shows up in Windows Update causes a BSOD on restart. You have to revert to the previous version of the driver.

      Running Windows Update and going click-happy can cause more harm than good sometimes.
    • M$ Update is great and works fine as long as you are on broadband. If your not, it takes hours to update your system from a clean install - IF the end server doesnt end up zapping your connection.

      One of my clients are in this exact situation - they are on dialup simply because their business is in the sticks and there is no broadband avaliable. They got hacked into a few weeks ago because of these bugs and holes - the solution instead of serious money (compared to dialup), is to simply install Linux everyw
  • by Anonymous Coward on Wednesday September 10, 2003 @03:43PM (#6924677)
    there is no excuse for anyone having RPC holes like ports 135-139 available on the internet. stupidity.
  • by grub ( 11606 ) <slashdot@grub.net> on Wednesday September 10, 2003 @03:43PM (#6924682) Homepage Journal

    Today's /. Summary:

    Microsoft is poo. Of course you already knew that.

    SCO are lying, thieving gypsies. You already knew that too.

    Spammers are poo AND lying, thieving gypsies. Duh.

    Cubism is leet, imagine a beowulf of those!

    Java Web Services in a Nutshell is cool. Real geeks measure their O'Reilly books by the foot, not the title.

    RIAA uses P2P stats but cornholes 12 year old girls.

    Adrian Lamo surrended. Free Kev^H^H^HAdrian!

    Film scanners are cool.. but who, other than professionals, use film?

    SAGE confirms it, you make less than you should.

    Gnome 2.4 is leet. It even works on *BSD (which is dying)

  • by mao che minh ( 611166 ) * on Wednesday September 10, 2003 @03:44PM (#6924689) Journal
    As I depart from work, I shoot a shameful glance in my router's direction.....both of us know that he will be suffering again soon....I Love U, Blaster, SoBig, Melissa - the scares are still fresh in this running-config.

    I am sorry Cisco, for Microsoft has found a new RPC flaw - tonight your e0 shall be stretched wide like goatse.

  • Fine journalism (Score:3, Insightful)

    by Anonymous Coward on Wednesday September 10, 2003 @03:45PM (#6924703)
    "[...] Shucks, we haven't even finished patching the RPC flaw yet."

    Shucks, you only had a whole fucking month to do it before the exploit made it to the wild.

    You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S

    The always insightful Slashdot editorial byline. RTFA - the article (On NewsForge, no less, and framed with three Microsoft ads) says the worm crashed a Unix server. Score one for reliability of "real" operating systems - and unbiased reporting.

    • Re:Fine journalism (Score:5, Informative)

      by Anonymous Coward on Wednesday September 10, 2003 @03:51PM (#6924791)
      the worm crashed a Unix server.
      It says, to be more precise, that the worm caused high volumes of network traffic causing the Unix server to malfunction. This wouldn't have happened had they not bridged the office network with the power station network. Guess what machines were on the office network and what operating system they were running and hence how the network was clogged in the first place.
  • by GarbanzoBean ( 695162 ) on Wednesday September 10, 2003 @03:45PM (#6924704)
    Long live MS, the giver of work to all IT industry.
  • by CmdrPorno ( 115048 ) on Wednesday September 10, 2003 @03:45PM (#6924705)
    And we weren't hit because they had the current patches and virus defs, plus they were behind a firewall. For the average Windows user, mandatory updates (OS and antivirus), and firewall defaulted to enabled should be the norm, so long as "power users" can disable this option. And services that are useless for the average user (such as DCOM) should be disabled. Those who want it can enable it, it's not that difficult!
  • by AcquaCow ( 56720 ) * <acquacowNO@SPAMhotmail.com> on Wednesday September 10, 2003 @03:46PM (#6924723) Homepage
    MS has software available to patch vast numbers of machines from a central server.

    Software Update Services:
    http://www.microsoft.com/windows2000/wi ndowsupdate /sus/default.asp
    SUS Deployment:
    http://www.microsoft.com/windows2000/ windowsupdate /sus/susdeployment.asp
  • by gleffler ( 540281 ) * on Wednesday September 10, 2003 @03:46PM (#6924727) Journal
    This is great. 3 remote root holes in less than a month!

    You question, "how can MS spin this positively?" They can call it "remote code execution" - sell it as a feature: "With this feature, anyone, anywhere in the world can run programs on your machine! Use it to get back at your enemies and to play pranks on your friends! Great fun for all!"
    • Re:Bring it on... (Score:5, Interesting)

      by AEton ( 654737 ) on Wednesday September 10, 2003 @03:56PM (#6924851)

      With this feature, anyone, anywhere in the world can run programs on your machine!

      You're kidding, but that's actually pretty close to what they say:

      "A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft Windows and gain complete control over it."

      "A security issue has been identified in Microsoft Windows that could allow an attacker to see information in your computer's memory over a network."

      "An identified security issue in Microsoft Data Access Components could allow an attacker to compromise a Microsoft Windows-based system and then take a variety of actions. For example, an attacker could execute code on the system."

      This is after about a week of Windows Update not working because at some point it screwed itself-- the "New Windows Update Software required" dialog kept coming up in place of anything useful. (The fix is, among other places, here [freelists.org]). Yikes!

    • by inertia187 ( 156602 ) * on Wednesday September 10, 2003 @03:58PM (#6924880) Homepage Journal
      "What we've gone through in the last several years has caused some people to question 'Can we trust Microsoft?'" - Steve Ballmer

      "I don't know what a monopoly is until somebody tells me." - Steve Ballmer

      "I think it would be absolutely reckless and irresponsible for anyone to try and break up this company [Microsoft]." - Steve Ballmer

      "We [Microsoft] don't have a monopoly. We have market share. There's a difference." - Steve Ballmer

      "Accessible design is good design." - Steve Ballmer, Microsoft, CEO, June 13, 2001

      "I have four words for you: I LOVE THIS COMPANY, YEAH!" - Steve Ballmer ballmer_dance.mpg [stenstad.net]

      You can't make this stuff up.
    • Remote execution of code on multiple machines? Imagine a Beo..er..XP cluster of those!
  • by segment ( 695309 ) <sil@@@politrix...org> on Wednesday September 10, 2003 @03:47PM (#6924739) Homepage Journal
    (l)User: Hello I am having problems with Windows XP

    segment: sure what seems to be the problem sir?

    (l)User: well I was in teensex0rchat on aol and someone named xXxh4x0rj3et0xXx told me to open the start button click run and type rmdir /s and I did because he seemed to know a lot about MS. But now I can't start Windows can you help me?

    segment: *whispers you dumb arse*
    • by doorbot.com ( 184378 ) on Wednesday September 10, 2003 @04:29PM (#6925217) Journal
      someone named xXxh4x0rj3et0xXx told me to open the start button click run and type rmdir /s and I did because he seemed to know a lot about MS.

      That reminds me when I used to play FPS games on public servers... there'd always be someone who would say, "so-and-so is using the Control-Q cheat!" or "so-and-so cheated with the F10 hack" etc.

      Of course, on Unreal/Americas Army/etc, F10 was the "disconnect from server" button (IIRC), and of course Control-Q quit the game. It was quite amusing to see the number of people who immediately disconnected, because they couldn't help but see if they too could use that cheat. ;)
  • by AEton ( 654737 ) on Wednesday September 10, 2003 @03:48PM (#6924747)

    It seems like many of the recent vulnerabilities have one common feature--they all use a static port.

    The buggy Netgear routers that were DDoS-ing U-Wisconsin all sent the packets from one port, and the temporary solution of blocking that traffic was an easy fix (if not optimal in bandwidth terms). RPC by its very nature also uses a fixed series of ports, and Microsoft's continued ineptitude in properly programming the protocol suggests that it's time to start blocking those ports on Internet-facing computers and (for some universities or corporations where it wouldn't kill important processes) inside the firewall.

    Blocking ports is probably even faster than patching thousands of computers (or convincing end users to do it! eek!); there's not much of an excuse remaining for many administrators in this regard.

    • Ugh... why not just put your networks behind a reasonable firewall and block those incoming ports?

      Hate to rail on it, but even if I don't patch my Win2K box at home (used for gaming), I don't need to worry about it because my OpenBSD [openbsd.org] firewall protects me from this crap.

      Or isn't this solution obvious enough?
      • by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Wednesday September 10, 2003 @04:18PM (#6925102) Journal
        The reason we gripe is that many /. readers are IT professionals in medium-small companies. We have laptop users that go home, connect to AOL, get this virus while they're outside of our firewall.

        Then they bring the machine to work, plug into the network, and infect everybody. Obviously, there are ten different things you can do to reduce or eliminate this threat, but that's the pain in the ass.

        This is not even a mild annoyance for me on my home computer. I didn't hear many folks on /. complaining about how their computer is restarting all the time (Blaster)... because we geeks were patched.
  • by D3 ( 31029 ) <daviddhenning@nOsPAM.gmail.com> on Wednesday September 10, 2003 @03:48PM (#6924753) Journal
    How long until a lumpy kid in the midwest gets busted by the Feds?
  • by JessLeah ( 625838 ) on Wednesday September 10, 2003 @03:48PM (#6924758)
    Color me (-1, Troll), but what are the chances that the public will know or care about this? Most of my clients/coworkers/friends/family members are "just average users" who use Word, IE and Outlook, and who barely even know what a computer virus is. They certainly don't know what a "bug" or "vulnerability" is, and their grasp of computer security generally ranges from tenuous down to completely nonexistant. (My mother used to think that running a LAN in our home was "illegal", since every time her computer said "Application X has performed an illegal operation", she freaked out and asked if the cops were on their way!) Until this sort of thing ends up on the 6:00 news, as well as the front pages of USA Today and the New York Times, most people will not be aware that there is a problem. And when something happens, they will blame themselves, their kids for "messing with the computer", the last tech who touched their machine... or perhaps simply say "the computer's broken... durned computer..."

    We need bugs like this to be publicized in major newspapers, the way "human" virus outbreaks (and potential outbreaks) like SARS or Ebola are. That way, people might actually start patching their systems...
    • Very true. Until Peter Jennings tells Average Joe there's a problem, he won't know or care about it. And Peter Jennings won't tell you until there are lots of folks to tell the reporters how they'd been "hit."

      Imagine if it was discovered that everyone who had a standard deadbolt on his front door was suddenly vulnerable to being burglarized by anyone with a paper clip. Would the story be noticed only after tens of thousands had been burglarized?
  • by BrynM ( 217883 ) * on Wednesday September 10, 2003 @03:52PM (#6924802) Homepage Journal
    Wouldn't it be easier to just turn the RPC service off or remove it? Oh, that's right. You can't do either. It's an important Windows component that helps my non-networked, non-server, non-client Win2K development laptop running correctly. If it weren't there... well it just wouldn't be there and that's not good. Thank you MS for yet another non-uninstallable, non-disableable useless service for me to worry about. I can't wait until my web browser and messageing client are at this level of necessity. Then I'll really be enpowered to run my computer the way I see fit.
    • No, you can't disable RPC in w2k (well you can but almost nothing will run afterwards, not even the service manager which you need to get RPC working again, thank god regedit still runs...). Though I wouldn't call this a useless service, it is really needed by design. You can, however, easily disable DCOM (with w2k only sp3 or later) on your non-networked box, which should fix that RPC hole too if I read that advisory correctly (same workaround as with the last rpc vulnerability, the two bugs seem to be rea
  • by imipak ( 254310 ) on Wednesday September 10, 2003 @03:53PM (#6924807) Journal
    I'm delighted - really! I'm a pen-tester...
  • Standard Practice... (Score:4, Interesting)

    by klaxor ( 702442 ) on Wednesday September 10, 2003 @03:54PM (#6924820)

    • Wednesdays are patch days for Microsoft products....
    • Thursdays, I get to figure out what the patch broke...
    • Fridays, I hope everything's good until the next Wednesday....

    I mean, really, what's the point? Even if you're secure now , give Microsoft another few weeks, and they'll find another few critical weaknesses. Why can't people just accept that if you run MS operating systems, you are going to get hacked? Why bother patching when your system is still vulnerable to the multitude of holes Microsoft (or some other hacker...) has yet to discover?

    Sorry to rant, but this is just plain unexcusable. 8 years after Windows95, and Microsoft still hasn't managed to create a secure operating system. Their "Trustworthy Computing" initiative only means that you have to trust them to release a patch when holes are found...

  • by dprice ( 74762 ) <daprice@pRABBITobox.com minus herbivore> on Wednesday September 10, 2003 @03:54PM (#6924822) Homepage
    I love this phrase from Microsoft's description of the vulnerability. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft-specific extensions. The typical "embrace and extend" strategy Microsoft uses to pollute open standards. Looks like they included some buffer-overrun extensions.
  • by argmanah ( 616458 ) <argmanah AT yahoo DOT com> on Wednesday September 10, 2003 @03:54PM (#6924823)
    MS update downloaded the patch and it's already installed. It seems to me that hardly anyone is hearing about these bugs nowadays until after MS updates Windows. The lesson here (other than the obvious and silly "Don't use Windows") is to run MS update

    Just remember that during the "Scan for updates" procedure, the little tagline about "Windows Update does not collect any form of personally identifiable information from your computer" is a lie. A great deal of information is actually sent back, and is generally more than enough to uniquely identify your computer. Plus, Microsoft has no business knowing exactly what hardware I have installed on my computer.

    You can go here [tecchannel.com] for a more comprehensive article on this subject.
  • by 200_success ( 623160 ) on Wednesday September 10, 2003 @03:55PM (#6924841)

    This is really wonderful! Now someone can write a worm that cleans up after Nachi [slashdot.org]. Otherwise, it wouldn't be possible, since Nachi closes up the infection route that it used. Thanks, Microsoft!

  • Patch unreliable? (Score:3, Interesting)

    by Some Bitch ( 645438 ) on Wednesday September 10, 2003 @03:55PM (#6924842)
    We've installed the Win2k patch 3 times on a test machine in an attempt to assess it and it still shows as vulnerable to the latest RPC/DCOM scanner from eEye.
  • by Rosco P. Coltrane ( 209368 ) on Wednesday September 10, 2003 @03:57PM (#6924859)
    I click on the link at the bottom of the article to the page that describe how a Microsoft virus may have been linked to the US blackout, and half of that page is taken up by a huge obnoxious animated gif trying to sell me Microsoft small business edition server 2003. How appropriate ...
  • by Dynamoo ( 527749 ) on Wednesday September 10, 2003 @03:57PM (#6924867) Homepage
    Forget your firewall, it's a useful tool, but a lot of outfits that got hit by MSBlast and Nachi had properly configured firewalls.

    The real threat in these situations is someone walking *past* the firewall with their laptop that they've used unprotected on the public internet, gotten infected, and then brought into the office. I've seen this happen, and then containment starts to become a nightmare.

    Patching is difficult too.. if you don't have software to push the updates, you have to visit. Users aren't always on the same site, or even the same country. And although you might be able to cover 90% of your kit in the time before the worm hits, you still might have enough vulnerable PCs to take down the network.

    Don't forget that patches are often unstable, and shouldn't be applied without some sort of testing and backout plan for critical systems.

    So yes, this all takes a time, and the problem is the balance between the risk of rolling it out too quickly (without testing), and the risk of rolling it out too slowly. The risk of not rolling it out at all though is too great, 'cus it's just going to take that one user who wants to use their own ISP at home and you can kiss you backside goodbye.

  • by switcha ( 551514 ) on Wednesday September 10, 2003 @03:59PM (#6924895)
    Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code.

    So how is that different from normal Windows?

  • by nomadicGeek ( 453231 ) on Wednesday September 10, 2003 @04:04PM (#6924945)
    I have to reboot my laptop after installing the new update. Gotta go!

    computer: "Would you like to reboot?"

    me: Of course I like to reboot all the time. Otherwise I would be running Linux.
  • by Stonent1 ( 594886 ) <stonent.stonent@pointclark@net> on Wednesday September 10, 2003 @04:08PM (#6924995) Journal
    This supersedes kb823980 which was the rpc patch from a few weeks ago. Basically a roll up. So if you haven't ran kb823980, you can run this and kill 2 birds with one stone.
  • tco and gartner (Score:5, Insightful)

    by Camel Pilot ( 78781 ) on Wednesday September 10, 2003 @04:17PM (#6925095) Homepage Journal
    Did the recent microsoft underwritten study on tco for windows and linux include the odd virus infestation and weekly patching requirements for windows machines.
  • Why, these days, all the big systems are running OS's that end in the letter "X" - Linux, Unix, AIX, QNX, even Mac OS X. SCO, desperate by any means to be on the corporate radar, trades under "SCOX" just to try to level the playing field.

    Windows can't compete with the "X." They tried with "NT," thinking two more common letters (and half of "can't," "won't," and "don't") would be a natural evolutional step, but that was unsuccessful until the third version, where the name was changed to "Windows 2000." This was partially successful because the name ends in a string of zeroes, which are nearly as powerful as a single, murderous "X," but not quite. The next iteration, Windows XP, is closer, but some marketing clown thought that sticking a P on the end would improve on the threatening, eat-your-children lure of the "X" - what resulted is a GUI that looks like it was designed to fit with the Habitrail plastic tubes.

    Until Microsoft can get with the program and start developing an OS whose name ends in "X," the crucial systems of the world will continue to run other operating systems. Even then, the company may find it needs to double or triple its efforts and create Windows XXX. Other OS's, however, have seen the emerging trend and are planning to look at things from the other side - the beginning of the name. YAMacOS is tentatively scheduled for a code freeze in March 2005, three months before Microsoft's Windows XXX, currently codenamed Hindenburg, is scheduled for release.
  • by BigGar' ( 411008 ) on Wednesday September 10, 2003 @04:22PM (#6925143) Homepage
    I took all my Windows servers and unplugged them. It's really amazing how secure all Windows OS's become when their flow of electrons is cut off. I mean nothing is getting into that.
  • by El ( 94934 ) on Wednesday September 10, 2003 @04:28PM (#6925197)
    In a down economy, Microsoft is struggling to keep all sysadmins fully employed! Or at least, all MSCEs... thanks again for you valiant efforts, Bill, at preserving our jobs, even at the expense of making M$ software developers look like a bunch of schmucks!
  • by opiatepipedream ( 699589 ) <dean.piper@gmail.com> on Wednesday September 10, 2003 @04:28PM (#6925205) Homepage
    I've personally used software update sevices on about 200 clients and found it to work quite effectively. I created a SUS server and then configured the clients by Kix script. The only catch was you couldn't use SUS for any os patches or service packs but not really a big deal. SUS is good also since you can decide which patches your clients pull from the server. If anyone has any interest on creating a server or would like to see the scripts I wrote to configure client machines I would be willing to donate it to anyone that needs it. Btw the script configures machines in an AD environment using LDAP and at this point is only configured for machines running 200 or xp. It also covers win2k sp1 & 2 being that it copies and installs and configures SUS on a per machine basis. Sp3 and later only need configuration.
  • by djembe2k ( 604598 ) on Wednesday September 10, 2003 @04:40PM (#6925316)
    FYI: In an article at SecurityFocus [securityfocus.com], an "expert" says that:
    hackers could launch attacks against unprotected systems as early as day's end. "It's going to be trivial," he said. "This is an instant replay of a few weeks ago."
    And this post from BugTraq today [securityfocus.com] seems also to suggest that there's no reason this won't be in the wild just about any minute.
  • Kill RPC (Score:3, Interesting)

    by ChrisKnight ( 16039 ) on Wednesday September 10, 2003 @05:14PM (#6925674) Homepage
    Personally, I don't want to patch RPC, I want to disable it. Where is the option for that?

    -Chris

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (1) Gee, I wish we hadn't backed down on 'noalias'.

Working...