AOA Forums AOA Forums AOA Forums Folding For Team 45 AOA Files Home Front Page Become an AOA Subscriber! UserCP Calendar Memberlist FAQ Search Forum Home


Go Back   AOA Forums > Software > Data Security

Data Security Viruses, Firewalls and Safe computing


Reply
 
LinkBack Thread Tools Rate Thread
  #1 (permalink)  
Old 27th July, 2003, 09:57 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Big Windows NT/2000/XP security hole

This was sent to me recently, so I'm reproducing it here so everyone knows. Formatting has been slightly changed to make it fit into AOA!

Advisory
Title: Potential For Significant Impact On Internet Operations Due To Vulnerability In Microsoft Operating Systems
Date July 24, 2003

SYSTEMS AFFECTED: Computers using the following operating systems:
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

OVERVIEW
The Department of Homeland Security (DHS) / Information Analysis and Infrastructure Protection (IAIP) National Cyber Security Division (NCSD) is issuing this advisory in consultation with the Microsoft Corporation to heighten awareness of potential Internet disruptions resulting from the possible spread of malicious software exploiting a vulnerability in popular Microsoft Windows operating systems.

DHS expects that exploits are being developed for malicious use. Two additional factors are causing heightened interest in this situation: the affected operating systems are in wide spread use, and exploitation of the vulnerability could permit the execution of arbitrary code. DHS and Microsoft are concerned that a properly written exploit could rapidly spread on the Internet as a worm or virus in a fashion similar to Code Red or Slammer.

IMPACT
The recently announced Remote Procedure Call (RPC) vulnerability in computers running Microsoft Windows operating systems listed above could be exploited to allow the execution of arbitrary code or could cause a denial of service state in an unprotected computer. Because of the significant percentage of Internet-connected computers running Windows operating systems and using high speed connections (DSL or cable for example), the potential exists for a worm or virus to propagate rapidly across the Internet carrying payloads that might exploit other known vulnerabilities in switching devices, routers, or servers.

DETAILS
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The vulnerability results from the handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server. An attacker who successfully exploited this vulnerability would be able to run code with local system privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.

RECOMMENDATION
Due to the seriousness of the RPC vulnerability, DHS and Microsoft encourage system administrators and computer owners to take this opportunity to update vulnerable versions of Microsoft Windows operating systems as soon as possible. Microsoft updates, workarounds, and additional information are available at http://microsoft.com/technet/treevie...n/MS03-026.asp

DHS and Microsoft further suggest that Internet Service Providers and network administrators consider blocking TCP and UDP ports 135, 139, and 445 for inbound connections unless absolutely needed for business or operational purposes.

Advisories recommend the immediate implementation of protective actions, including best practices when available. DHS encourages recipients of this advisory to report information concerning suspicious or criminal activity to law enforcement or a DHS watch office. The DHS Information Analysis and Infrastructure Protection watch offices may be contacted at:

For private citizens and companies – Phone: (202) 323-3205, 1-888-585-9078
Email: nipc.watch@fbi.gov
Online: http://www.nipc.gov/incident/cirr.htm

For telecommunications industry - Phone: (703) 607-4950
Email: ncs@dhs.gov

For Federal agencies/departments - Phone: (888) 282-0870
Email: fedcirc@fedcirc.gov
Online: https://incidentreport.fedcirc.gov

DHS intends to update this alert should it receive additional relevant information, including information provided to it by the user community. Based on this notification, no change to the Homeland Security Advisory System level (HSAS) is anticipated; the current HSAS level is YELLOW.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 27th July, 2003, 10:10 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

For those who are curious, I have seen several different versions of code that will exploit this very vulnerability. I'm pretty sure we'll end up seeing a worm for this if people do not patch their machines!
__________________
Any views, thoughts and opinions are entirely my own. They don't necessarily represent those of my employer (BlackBerry).
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 28th July, 2003, 07:17 PM
cloasters's Avatar
Asst. BBS Administrator
 
Join Date: September 2001
Location: Location, Location
Posts: 21,956

Quote:
Originally Posted by Áedán
For those who are curious, I have seen several different versions of code that will exploit this very vulnerability. I'm pretty sure we'll end up seeing a worm for this if people do not patch their machines!
Thank you for this news, Aedan!
I hope this patch doesn't break something in the process of fixing something. Oh me of little faith.
__________________
When the world will be better.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 28th July, 2003, 08:54 PM
Postaldave's Avatar
Member
 
Join Date: February 2003
Location: 3 hours from LA.. its hot here
Posts: 591
Send a message via ICQ to Postaldave Send a message via AIM to Postaldave

we were notified and patched the same day as we just bought 14 new dual p4 xeon servers with win 2003 server

postal

thanks for the updates there buddy

did you guys get all the info on that wonderful cisco virus last week.... the one that wonderfully shut down the internet for a day lol....
__________________
WoW Server: Uther
Postal - 60 Undead Rogue
Evad - 60 Tauren Druid
Phaustus - 60 Troll Shaman
AOA Team fah
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 29th July, 2003, 12:33 AM
BigRed's Avatar
Member
 
Join Date: September 2002
Location: Seattle, WA
Posts: 1,356
Send a message via ICQ to BigRed Send a message via AIM to BigRed Send a message via Yahoo to BigRed

Ohhh windows with another security hole, what else is new?
__________________
"Get busy living or get busy dying, Thats god damn right." -Red
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 29th July, 2003, 10:06 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

The cisco hole? Yeah, basically, all that was required was that the IOS device was sent packets with a certain IP ID on them, and that the TTL be 1 or 0. This appears to cause IOS to choke, and fail to remove the packet from the processing queue.

As that packet is stuck at the head of the processing queue, no packets after it could be processed. The workaround was to do some packet filtering, and filter the packets until you could upgrade the version of IOS.
__________________
Any views, thoughts and opinions are entirely my own. They don't necessarily represent those of my employer (BlackBerry).
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 29th July, 2003, 04:31 PM
cloasters's Avatar
Asst. BBS Administrator
 
Join Date: September 2001
Location: Location, Location
Posts: 21,956

Quote:
Originally Posted by Áedán
The cisco hole? Yeah, basically, all that was required was that the IOS device was sent packets with a certain IP ID on them, and that the TTL be 1 or 0. This appears to cause IOS to choke, and fail to remove the packet from the processing queue.

As that packet is stuck at the head of the processing queue, no packets after it could be processed. The workaround was to do some packet filtering, and filter the packets until you could upgrade the version of IOS.
What I've seen about addressing this bug in Cisco routers is opaque to this particular dummy. Cisco lays out this information in a logical, easy to understand manner. Not exactly.
__________________
When the world will be better.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 29th July, 2003, 06:42 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Try
http://www.cisco.com/warp/public/707...-blocked.shtml

It explains the problem, the fixed versions of IOS and the work arounds, in a logical easy to follow manner. Yes, you need to have some level of familiarity with cisco routers before applying the workaround, but that goes for any products.
__________________
Any views, thoughts and opinions are entirely my own. They don't necessarily represent those of my employer (BlackBerry).
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 30th July, 2003, 05:35 PM
Member
 
Join Date: June 2003
Location: UK
Posts: 62

Quote:
Originally Posted by Áedán
Try
http://www.cisco.com/warp/public/707...-blocked.shtml

It explains the problem, the fixed versions of IOS and the work arounds, in a logical easy to follow manner. Yes, you need to have some level of familiarity with cisco routers before applying the workaround, but that goes for any products.
Hey, I installed that patch from the Microsoft site. I'm using Windows 2000 Professional btw.

And now when I shut down or restart my PC it takes ALOT longer than it did before.

Before - 10 seconds max
After - 70+ seconds!

should I be worried about this? Everything seems to run ok, and it definately wasn't taking this long last night.
__________________
"The things you own, end up owning you" - Tyler Durden

Last edited by The Running Man; 30th July, 2003 at 06:28 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #10 (permalink)  
Old 30th July, 2003, 08:35 PM
robbie's Avatar
AOA Staff
 
Join Date: November 2001
Location: Out in the desert of Ca.
Posts: 12,548
Send a message via AIM to robbie Send a message via MSN to robbie Send a message via Yahoo to robbie Send a message via Skype™ to robbie

I'd worry if i was you.
Rob
__________________
Taking each day as it comes
Grow, learn and OVERCLOCK. Need help?? Ask me.
Your Mommy!! (Aug/02) Welcome to the fold.
Buy it, Sell it, or Trade it in the AoA classifieds!!
AOA Team fah
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #11 (permalink)  
Old 2nd August, 2003, 12:06 AM
SiGmA_X's Avatar
Member
 
Join Date: April 2002
Location: Portland, OR
Posts: 1,529
Send a message via ICQ to SiGmA_X Send a message via AIM to SiGmA_X Send a message via MSN to SiGmA_X Send a message via Yahoo to SiGmA_X

Quote:
Originally Posted by The Running Man
Hey, I installed that patch from the Microsoft site. I'm using Windows 2000 Professional btw.

And now when I shut down or restart my PC it takes ALOT longer than it did before.

Before - 10 seconds max
After - 70+ seconds!

should I be worried about this? Everything seems to run ok, and it definately wasn't taking this long last night.
Same thing here on Win2000Pro at work.. It's worrying me! But then I do a hard restart, and it boot in 20sec..?
__________________
"In war, it is not the goal to die for your country, but rather to make the other bastard die for his!"
AOA Team fah
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #12 (permalink)  
Old 2nd August, 2003, 01:40 AM
Member
 
Join Date: June 2003
Location: UK
Posts: 62

Quote:
Originally Posted by SiGmA_X
Same thing here on Win2000Pro at work.. It's worrying me! But then I do a hard restart, and it boot in 20sec..?
heres news for ya, I uninstalled the patch & it boots up quick and shutdowns quick again.

The patch changes something, I do not know what. We need more information on this, the patch itself could be flawed.
__________________
"The things you own, end up owning you" - Tyler Durden
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #13 (permalink)  
Old 4th August, 2003, 04:56 PM
cloasters's Avatar
Asst. BBS Administrator
 
Join Date: September 2001
Location: Location, Location
Posts: 21,956

After the patch, plus the even newer patch, I don't see an increase in shutdown time, in XP at any rate. Sometimes you can get lucky.
__________________
When the world will be better.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #14 (permalink)  
Old 8th August, 2003, 05:29 AM
SiGmA_X's Avatar
Member
 
Join Date: April 2002
Location: Portland, OR
Posts: 1,529
Send a message via ICQ to SiGmA_X Send a message via AIM to SiGmA_X Send a message via MSN to SiGmA_X Send a message via Yahoo to SiGmA_X

I have an extra 70sec at home and work, both ways.
__________________
"In war, it is not the goal to die for your country, but rather to make the other bastard die for his!"
AOA Team fah
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #15 (permalink)  
Old 8th August, 2003, 08:39 PM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

Many thanks Aedan! I immediately updated my boxes!
I'm going to check my start-up speeds now. But I don't believe I've seen an increase in start up times, but I may not have noticed as I don't reboot that often.
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #16 (permalink)  
Old 8th August, 2003, 08:50 PM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

My #1 box boots in 60 sec. My #2 Box in 63 sec.

This is unchanged for me. Considering my Fast Track Raid card and Network connections, this seem fairly good boot for a 2000 Pro boxes. At lest it is unchanged.
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #17 (permalink)  
Old 8th August, 2003, 09:45 PM
SiGmA_X's Avatar
Member
 
Join Date: April 2002
Location: Portland, OR
Posts: 1,529
Send a message via ICQ to SiGmA_X Send a message via AIM to SiGmA_X Send a message via MSN to SiGmA_X Send a message via Yahoo to SiGmA_X

Humm... Mine spiked a lot.. :-\
__________________
"In war, it is not the goal to die for your country, but rather to make the other bastard die for his!"
AOA Team fah
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Microsoft fixes biggest security hole tevildo OS, Software, Firmware, and BIOS 8 6th December, 2006 11:35 AM
Security hole found in Gmail cloasters Data Security 5 1st November, 2004 05:17 PM
Norton AntiSpam/Internet Security 2004 hole! Áedán Data Security 0 23rd March, 2004 10:52 AM
Yet another hole for NT,2000,XP Southern Man Random Nonsense! 3 31st March, 2003 06:28 PM
GIANT security hole in Win 98 and ME, and XP Daniel ~ Random Nonsense! 13 24th December, 2001 11:05 PM


All times are GMT +1. The time now is 02:45 AM.


Copyright ©2001 - 2010, AOA Forums
Don't Click Here Don't Click Here Either

Search Engine Friendly URLs by vBSEO 3.3.0