Security Warning from CERT!

[mto]

<Quote>
In its advisory, CERT recommends that customers apply the Microsoft patch
and, as well, block network traffic on Transmission Control Protocol (TCP)
ports 135, 139, and 445, which are used by the RPC service. <END>

http://www.pcworld.com/news/article/0,aid,111856,00.asp

[Jeffrey A. Setaro]

In article <ssSdnbDZtKRFlLaiU-KYuQ@seg.net>,
nobody@atdon'tbothertowrite.com says...
> <Quote>
> In its advisory, CERT recommends that customers apply the Microsoft patch
> and, as well, block network traffic on Transmission Control Protocol (TCP)
> ports 135, 139, and 445, which are used by the RPC service. <END>
>
> http://www.pcworld.com/news/article/0,aid,111856,00.asp
>

Wow it's only taken CERT & PC World two weeks to catch up. Microsoft
release a bulletin and patch for this on July 16, 2003.

See Microsoft Security Bulletin MS03-026: Buffer Overrun In RPC
Interface Could Allow Code Execution(Q823980)
<http://www.microsoft.com/technet/security/bulletin/MS03-026.asp> for
details.

--
Cheers-

Jeff Setaro
jasetaro@mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

[Jeffrey A. Setaro]

In article <ydacnf61nLJoibaiXTWJhg@seg.net>,
nobody@dontsendmeanyspam.com says...
>
> "Jeffrey A. Setaro" <jasetaro@mags.net> wrote in message
> news:MPG.1994dc9377a46a6e9896fd@news.mags.net...
> > In article <ssSdnbDZtKRFlLaiU-KYuQ@seg.net>,
> > nobody@atdon'tbothertowrite.com says...
> > > <Quote>
> > > In its advisory, CERT recommends that customers apply the Microsoft
> patch
> > > and, as well, block network traffic on Transmission Control Protocol
> (TCP)
> > > ports 135, 139, and 445, which are used by the RPC service. <END>
> > >
> > > http://www.pcworld.com/news/article/0,aid,111856,00.asp
> > >
> >
> > Wow it's only taken CERT & PC World two weeks to catch up. Microsoft
> > release a bulletin and patch for this on July 16, 2003.
> >
> > See Microsoft Security Bulletin MS03-026: Buffer Overrun In RPC
> > Interface Could Allow Code Execution(Q823980)
> > <http://www.microsoft.com/technet/security/bulletin/MS03-026.asp> for
> > details.
> >
>
> No, Jeff - this is a SECOND warning about that particular security patch.
> Been on the news all day. Apparently there is a problem -
>
> <quote>In the past two days, the computer security research and development
> organization has received reports of "thousands" of systems compromised
> using variations of the malicious code, known as DCOM RPC, after the flawed
> Windows DCOM (distributed component object model) interface, according to
> Jeff Havrilla, Internet security analyst at CERT in Pittsburgh.
> CERT does not know how many machines have been hacked using the DCOM RPC
> exploit, but the ratio between the number of reports CERT typically receives
> to the number of machines compromised suggests that the number is large,
> Havrilla said.<end>
>
> I posted the link because this warning specifies to not only get the patch
> but to block those 3 particular ports. I've had at least 7 attempts at my
> machine - mostly port 445 - today alone. Normally I get <2 in 24 hours.
>

It's old news... The only reason it's being rehashed today is because
some nit wit released exploit code and the usual suspects (read clueless
administrators and/or users) haven't taken basic risk mitigation step
even though they've had ample warning.

Do you really think PC World and/or CERT are going to motivate the usual
suspects into applying a patch that was released two weeks ago and to
block ports that should have been blocked long ago?

--
Cheers-

Jeff Setaro
jasetaro@mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

[Han]

Unfortunately, the update via Windows update on my work machine (NT4,
SP6) was less than succesful. The patch download and install seemed to
go alright, but the reboot did not. My regular account (admin rights)
didn't complete logon, with an explorer.exe failure - when I hit OK after
the Mr Watson thing, I was just left with a screen in background color.
I could switch logon to my other, simpler admin account, and there I was
able to get "in". However, nothing that remotely needs anything like
Rasman works, including Eudora - it simple crashed, although I don't
think it is set for autodial (I use a modem to connect to my homebase - a
university in NYC).

I found some instructions on how to reinstall rasman (googled and found
an Earthlink page with detailed instructions), but I'm not sure that'll
get me remote procedures back up.

Anyone with ideas, please post ...

(I now think that there was not enough free space on the drive to
finalize the installation)
--
Best regards
Han
email address is invalid

[-=ô;ö=-]

"mto" <nobody@dontsendmeanyspam.com> wrote in message
news:ydacnf61nLJoibaiXTWJhg@seg.net...
|
| "Jeffrey A. Setaro" <jasetaro@mags.net> wrote in message
| news:MPG.1994dc9377a46a6e9896fd@news.mags.net...
| > In article <ssSdnbDZtKRFlLaiU-KYuQ@seg.net>,
| > nobody@atdon'tbothertowrite.com says...
| > > <Quote>
| > > In its advisory, CERT recommends that customers apply the Microsoft
| patch
| > > and, as well, block network traffic on Transmission Control Protocol
| (TCP)
| > > ports 135, 139, and 445, which are used by the RPC service. <END>
| > >
| > > http://www.pcworld.com/news/article/0,aid,111856,00.asp
| > >
| >
| > Wow it's only taken CERT & PC World two weeks to catch up. Microsoft
| > release a bulletin and patch for this on July 16, 2003.
| >
| > See Microsoft Security Bulletin MS03-026: Buffer Overrun In RPC
| > Interface Could Allow Code Execution(Q823980)
| > <http://www.microsoft.com/technet/security/bulletin/MS03-026.asp> for
| > details.
| >
|
| No, Jeff - this is a SECOND warning about that particular security patch.
| Been on the news all day. Apparently there is a problem -
|
| <quote>In the past two days, the computer security research and development
| organization has received reports of "thousands" of systems compromised
| using variations of the malicious code, known as DCOM RPC, after the flawed
| Windows DCOM (distributed component object model) interface, according to
| Jeff Havrilla, Internet security analyst at CERT in Pittsburgh.
| CERT does not know how many machines have been hacked using the DCOM RPC
| exploit, but the ratio between the number of reports CERT typically receives
| to the number of machines compromised suggests that the number is large,
| Havrilla said.<end>
|
| I posted the link because this warning specifies to not only get the patch
| but to block those 3 particular ports. I've had at least 7 attempts at my
| machine - mostly port 445 - today alone. Normally I get <2 in 24 hours.
|
|
I have noticed a rise in Sub7 probes on my fw on the FreeNet Port..stange indeed..a New
Exploit???
--
Come To Florida, We Need Voter's that
actually KNOW how to cast a Ballot....
-=ô;ö=-

[Jay T. Blocksom]

On Sat, 02 Aug 2003 02:00:18 GMT, in <alt.privacy.spyware>, Han
<noone@nospam.invalid> wrote:
>
> Unfortunately, the update via Windows update on my work machine (NT4,
> SP6) was less than succesful. The patch download and install seemed to
> go alright, but the reboot did not. My regular account (admin rights)
[snip] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
Well, there's ONE obvious problem ----------------------+

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -