Security Warning from CERT!

Jeffrey A. Setaro · 08-01-2003, 08:56 PM

In article <ydacnf61nLJoibaiXTWJhg@seg.net>,
nobody@dontsendmeanyspam.com says...
>
> "Jeffrey A. Setaro" <jasetaro@mags.net> wrote in message
> news:MPG.1994dc9377a46a6e9896fd@news.mags.net...
> > In article <ssSdnbDZtKRFlLaiU-KYuQ@seg.net>,
> > nobody@atdon'tbothertowrite.com says...
> > > <Quote>
> > > In its advisory, CERT recommends that customers apply the Microsoft
> patch
> > > and, as well, block network traffic on Transmission Control Protocol
> (TCP)
> > > ports 135, 139, and 445, which are used by the RPC service. <END>
> > >
> > > http://www.pcworld.com/news/article/0,aid,111856,00.asp
> > >
> >
> > Wow it's only taken CERT & PC World two weeks to catch up. Microsoft
> > release a bulletin and patch for this on July 16, 2003.
> >
> > See Microsoft Security Bulletin MS03-026: Buffer Overrun In RPC
> > Interface Could Allow Code Execution(Q823980)
> > <http://www.microsoft.com/technet/security/bulletin/MS03-026.asp> for
> > details.
> >
>
> No, Jeff - this is a SECOND warning about that particular security patch.
> Been on the news all day. Apparently there is a problem -
>
> <quote>In the past two days, the computer security research and development
> organization has received reports of "thousands" of systems compromised
> using variations of the malicious code, known as DCOM RPC, after the flawed
> Windows DCOM (distributed component object model) interface, according to
> Jeff Havrilla, Internet security analyst at CERT in Pittsburgh.
> CERT does not know how many machines have been hacked using the DCOM RPC
> exploit, but the ratio between the number of reports CERT typically receives
> to the number of machines compromised suggests that the number is large,
> Havrilla said.<end>
>
> I posted the link because this warning specifies to not only get the patch
> but to block those 3 particular ports. I've had at least 7 attempts at my
> machine - mostly port 445 - today alone. Normally I get <2 in 24 hours.
>

It's old news... The only reason it's being rehashed today is because
some nit wit released exploit code and the usual suspects (read clueless
administrators and/or users) haven't taken basic risk mitigation step
even though they've had ample warning.

Do you really think PC World and/or CERT are going to motivate the usual
suspects into applying a patch that was released two weeks ago and to
block ports that should have been blocked long ago?

--
Cheers-

Jeff Setaro
jasetaro@mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

Thread: Security Warning from CERT!

Thread Tools

Display

Threaded View

Re: Security Warning from CERT!

Thread Information

Users Browsing this Thread

Posting Permissions