Jump to content


Please install MS03-039 patch NOW! (824146)


  • Please log in to reply
62 replies to this topic

#51 OFFLINE   Rons

Rons

    Forum Fiend

  • Forum MVP
  • 1,753 posts

Posted 15 August 2003 - 01:29 PM

MS site for the Blaster worm:http://www.microsoft...ident/blast.aspSome more helpful info.  :D

#52 OFFLINE   epp_b

epp_b

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,735 posts

Posted 15 August 2003 - 01:46 PM

Everyone prepare -- THE END OF THE WORLD IS COMING!!!  (JUST KIDDING :D)

#53 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 15 August 2003 - 01:55 PM

epp_b, on Aug 15 2003, 11:46 AM, said:

Everyone prepare -- THE END OF THE WORLD IS COMING!!!  (JUST KIDDING :))
Why not? Some yahoo on Lockergnome was blaming the big power outage on it.   If the power grid is really being run on Windows its time to go caveman it IS the end of the world.    :D  :D  :D
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#54 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 15 August 2003 - 02:00 PM

I had a D'Oh momemt this morning.  I finally get a break on virus quashing and begin to setup Windows XP on a new client system I've got.  I have a routine down pat.  I install windows and then connect to the Internet via my DSL line or the clients to download drivers, patches, and so forth.  I connected the system went and took a phone call and came back to see MSBLAST shutting down the system.  I didn't patch the system before I hit the internet.   It took perhaps two minutes tops to get infected.  I've got the patch on CD so it's easy to fix just annoying on a fresh box.Is there anyway to slipstream this patch onto a WinXP install disk?
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#55 OFFLINE   volunteer

volunteer

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 347 posts

Posted 16 August 2003 - 04:31 PM

nlinecomputers, on Aug 12 2003, 08:37 PM, said:

Rons,I have the patch and symantec's tool on a cd.  So I unplug unit from Internet, disable system restore, bring up task manager and kill MSBLAST, run symantec fixblast tool, install patch, reboot, reconnect to internet install all other patches and update/install/replace antivirus program.Has anyone else noted that the Internet is slow?  Everyone is having problems will slow sluggish response times   as of yesterday.  It seems to be a little better tonight.  Anyone else sluggish?
Nathan, I had a friend call this morning for help with her computer.  She had MS Blaster so I downloaded the files I needed and followed your procedure and it worked great.  She has XP Pro w/o SP1, good thing I had thought to bring my SP1 CD.  I set-up ICF for her and she's now running NAV.Thanks,  ;) Ken

#56 Guest_ThunderRiver_*

Guest_ThunderRiver_*
  • Guests

Posted 10 September 2003 - 05:40 PM

Title:     Buffer Overrun In RPCSS Service Could Allow Code             Execution (824146)Date:      September 10, 2003Software:  Microsoft Windows NT Workstation 4.0           Microsoft Windows NT Server® 4.0           Microsoft Windows NT Server 4.0, Terminal Server                Edition            Microsoft Windows 2000            Microsoft Windows XP            Microsoft Windows Server 2003  Impact:    Run code of attacker's choiceMax Risk:  CriticalBulletin:  MS03-039Microsoft encourages customers to review the Security Bulletins at:    http://www.microsoft...in/MS03-039.asp http://www.microsoft...ns/MS03-039.asp- - -----------------------------------------------------------------Issue:======The fix provided by this patch supersedes the one included in Microsoft Security Bulletin MS03-026.Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly access services on another computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions. There are three identified vulnerabilities in the part of RPCSS Service that deals with RPC messages for DCOM activation- two that could allow arbitrary code execution and one that could result in a denial of service. The flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the Distributed Component Object Model (DCOM) interface within the RPCSS Service. This interface handles DCOM object activation requests that are sent from one machine to another.An attacker who successfully exploited these vulnerabilities could be able to run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.To exploit these vulnerabilities, an attacker could create a program to send a malformed RPC message to a vulnerable system targeting the RPCSS Service.Microsoft has released a tool that can be used to scan a network for the presence of systems which have not had the MS03-039 patch installed. More details on this tool are available in Microsoft Knowledge Base article 827363. This tool supersedes the one provided in Microsoft Knowledge Base article 826369. If the tool provided in Microsoft Knowledge Base Article 826369 is used against a system which has installed the security patch provided with this bulletin, the superseded tool will incorrectly report that the system is missing the patch provided in MS03-026. Microsoft encourages customers to run the latest version of the tool available in Microsoft Knowledge Base article 827363 to determine if their systems are patched.Mitigating Factors:==================== - Firewall best practices and standard default firewall configurations can help protect networks from remote attacks originating outside of the enterprise perimeter. Best practices recommend blocking all ports that are not actually being used. For this reason, most systems attached to the Internet should have a minimal number of the affected ports exposed.Risk Rating:============ - CriticalPatch Availability:=================== - A patch is available to fix this vulnerability. Please read the Security Bulletins athttp://www.microsoft...in/MS03-039.asp http://www.microsoft...ns/MS03-039.aspfor information on obtaining this patch.Acknowledgment:=============== - eEye Digital Security (http://www.eeye.com/html) - NSFOCUS Security Team (http://www.nsfocus.com) - Xue Yong Zhi and Renaud Deraison from Tenable Network Security    (http://www.tenablesecurity.com)for reporting the buffer overrun vulnerabilities and working with us to protect customers.

#57 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 10 September 2003 - 05:57 PM

Thunder,Thanks for the heads up.  I just got the email today and had not had a chance to review it yet!
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#58 OFFLINE   Rons

Rons

    Forum Fiend

  • Forum MVP
  • 1,753 posts

Posted 10 September 2003 - 08:31 PM

Thunder - NlinecomputersI posted this before - but no one seemed interested. Wouldn't disabling DCOM eliminate the problem? If not, please let me know since I respect your opinions. :P http://grc.com/dcom/

#59 OFFLINE   Peachy

Peachy

    Anarquista De Sartorial

  • Forum Moderators
  • 5,448 posts

Posted 10 September 2003 - 09:06 PM

Rons, on Sep 10 2003, 08:31 PM, said:

Thunder - NlinecomputersI posted this before - but no one seemed interested. Wouldn't disabling DCOM eliminate the problem? If not, please let me know since I respect your opinions. :P http://grc.com/dcom/
Rons,Actually, if you read Microsoft's new bulletin, they point out you can disable DCOM to prevent this.

Quote

Disable DCOM on all affected machinesWhen a computer is part of a network, the DCOM wire protocol enables COM objects on that computer to communicate with COM objects on other computers. You can disable DCOM for a particular computer to help protect against this vulnerability, but doing so will disable all communication between objects on that computer and objects on other computers.If you disable DCOM on a remote computer, you will not be able to remotely access that computer afterwards to re-enable DCOM. To re-enable DCOM, you will need physical access to that computer.Information on how to disable DCOM is available in Microsoft Knowledge Base Article 825750.Note: For Windows 2000, the methods described above will only work on systems running Service Pack 3 or later. Customers using Service Pack 2 or below should upgrade to a later Service Pack or use one of the other workarounds.

'freedom...is actually the reason that men live together in political organisations at all. Without it, political life as such would be meaningless. The raison d'Être of politics is freedom, and its field of experience is action'.
My Flickr Photo Blog Posted Image
del.icio.us bookmarks Posted Image


#60 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 10 September 2003 - 09:09 PM

Well DCOM is not as totally useless as Steve "I must use BIG RED TEXT TO SCARE THE CRUD OUT OF YOU" Gibson implies.  Some websites use Active X and if you disable DCOM you will loose on those sites.  But for the most part it is a pretty good idea.
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#61 Guest_ThunderRiver_*

Guest_ThunderRiver_*
  • Guests

Posted 10 September 2003 - 09:29 PM

I personally do not recommend people follow Steve's instruction to disable DCOM or RPC service. There are programs that rely on DCOM. One good example is MSN Messenger, and other examples are ActiveX enabled-web sites. Even though DCOM poses a great risks in system security, there is really no reason to disable it unless you don't plan to use certain feature in the future. Same rule applies to ActiveX.Microsoft normally releases patches ahead of time on such critical flaw. If you patch it now (like today), it will save you a lot of time and efforts few weeks from now. If you still want to disable DCOM, it is still your choice to do so. However, if one day you run into problems with certain products, you are expected figure out that you disabled DCOM in the first place. Normally, Microsoft assumes you have DCOM enabled; thus, their tech support won't help you much.As one of the MVPs said, Steve is telling you to turn off services without revealing extensive amount of consequences. Even though he says most software don't rely on DCOM, he can NEVER be sure that there will be no side-effects of what so ever. ThunderRiver

#62 OFFLINE   Rons

Rons

    Forum Fiend

  • Forum MVP
  • 1,753 posts

Posted 10 September 2003 - 09:51 PM

Peachy, Nlinecomputers & ThunderAs always, thanks for the sound advice. I think I will enable DCOM for now. Patch to be applied after I post this.Thanks again.  :P

#63 Guest_ThunderRiver_*

Guest_ThunderRiver_*
  • Guests

Posted 10 September 2003 - 11:08 PM

Just received the email half hour ago.

Quote

----- Original Message ----- From: "Microsoft" <0_52291_CA4E69E8-0574-454D-B0D5-E90B7B210B74_US@Newsletters.Microsoft.com>Sent: Wednesday, September 10, 2003 10:49 PMSubject: Important: Critical Microsoft Security Bulletin MS03-039Dear Valued Microsoft Customer,We are contacting you today to make you aware that we have released Microsoft Security Bulletin MS03-039 today, September 10, 2003.  This bulletin details three critical vulnerabilities in the Windows operating system and provides instructions for applying the corresponding patch.  While there is currently no active exploit of this vulnerability, if successfully exploited, these vulnerabilities would allow an attacker to gain control of the target system.  We strongly encourage you to obtain and deploy this patch to any affected system that connects to your network; this includes systems on your local area network and remote or mobile systems.  For the most current information on affected systems and recommended remediation steps, please read the bulletin posted at:  http://www.microsoft...in/ms03-039.aspWe understand the potential effect this situation and the recommended remediation steps may have on you.  Microsoft is committed to providing you with information and tools to help run your enterprise safely and reliably on an on-going basis.  When we become aware of vulnerabilities, it is our goal to quickly share protection and remediation information and work in partnership with you to eliminate these kinds of threats to your business.  In order to help protect your computing environment from security vulnerabilities, we strongly encourage you to visit http://www.microsoft...ecurity/protect and implement the following three steps in your enterprise:  1. Verify firewall configuration.  Audit Internet and intranet firewalls to ensure they comply with your security policy; these are your first line of defense.  In addition, evaluate using host-level firewalls such as the Internet Connection Firewall in Windows XP.  This is especially important for systems such as laptops and home PCs that connect to your network remotely.  2. Stay up to date.  Use update services from Microsoft to keep your systems up to date.. Automatic Updates, available on Windows XP, Windows 2000 SP3 and SP4, and Windows Server 2003. Automatic Updates works with the Windows Update Web site to automate the process of updating Windows systems.. Software Update Services (SUS), a patch-distribution server available for download from our Web site. SUS enables you deploy a server in your business that Automatic Updates clients will use to get only approved and tested patches.  In addition to using these update services, we strongly recommend that you subscribe to Microsoft's free security notification service at http://www.microsoft...itynotification, so that you are proactively kept aware of new security issues.  3. Use and keep antivirus software up-to-date.  Antivirus software programs will help protect your systems against many viruses, worms, Trojan horses, and other malicious code.  To protect your systems from new viruses, it's also important to obtain up-to-date antivirus signatures through a subscription service from the antivirus software vendor. You should not let remote users or laptops connect to your network unless they have up-to-date antivirus software installed. In addition, consider using antivirus software in multiple points of your computer infrastructure, such as on edge Web proxy systems, as well as on email servers and gateways.You should also protect your network by requiring employees to take the same three steps with home and laptop PCs they use to remotely connect to your enterprise, and by encouraging them to talk with friends and family to do the same with their PCs.  To make this easier, we have set up a new Web site to assist PC users at http://www.microsoft.com/protect.Again, we want to encourage you to read this security bulletin and deploy the patch to your systems.  We want to thank you for your patience and work with you to protect your business from these kinds of security threats. Thank you,Microsoft CorporationFor information about Microsoft's privacy policies, please go to http://www.microsoft...nfo/privacy.htm





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users