New Blaster-related patch (MS03-039)

Topic

New Reply

Because the RPC hole was exploited so quickly the last time, I thought it best to post this.

Products Affected by This Update
* Windows NT

Reply | Quote

Replies

A number of sites have pointed out in the last couple days that this patch from Microsoft to plug the large Port 135 RPC code vulnerability should be downloaded but it won’t do the job competently.

What is much more essential to protect from this vulnerability is a decent firewall, preferably a router plus software firewalls like Norton Personal firewall or Zone Alarm. The Windows XP Firewall that will allow Trojans to ship out is a much less satisfactory choice but better than nothing.

Steve Gibson and Tech TV did articles on this as well, and I think Cowboydawg posted a link to the adjunct they recommend on one of the other threads I couldn’t find at the moment. Gibson’s site and Tech TV endorse using a firewall and DCOMbobulator. From Leo Laporte at Tech TV:

“Microsoft released several patches for the vulnerability, but I don’t have much faith in them. Here’s what I recommend. If you’re not running ZoneAlarm, turn on XP’s built-in Internet Connection Firewall.”

Steve Gibson’s Site and Background on DCOMbobulator

Articles in the media:

Experts Warn of New Worm Threat
The Worms of Sept. 11
New Worm on the Way?

SMBP

Reply | Quote

(Edited by jscher2000 on 12-Sep-03 21:53. Link added to disable DCOM.)

> A number of sites have pointed out in the last couple days that this patch from Microsoft to plug the large Port 135 RPC code
> vulnerability should be downloaded but it won’t do the job competently.

What job won’t it do completely? I assume you mean this:

The patch is only intended to address a buffer overflow vulnerability that allows an attacker to take over the computer. Microsoft assumes you want to allow DCOM connections to your computer, and the patch does nothing to change that.[/list]Your reference to Steve Gibson’s tool to turn off DCOM would be a prophylactic against the discovery of future vulnerabilities, as would a firewall disallowing access to port

Reply | Quote

I’d be happy to say it your way Jefferson–maybe that’s more nuanced and accurate, but a lot of experts have said just what I said, and it wouldn’t be the first patch not to be competent. As you said more on more than one occasion, though the key is having a good firewall configured correctly. It’s my understanding and correct me if I’m wrong that that alone could protect you from this vulnerability and that it would be the most effective tool. Maybe they are belt and suspenders.

SMBP

Reply | Quote

I’d be happy to say it your way Jefferson–maybe that’s more nuanced and accurate, but a lot of experts have said just what I said, and it wouldn’t be the first patch not to be competent. As you said more on more than one occasion, though the key is having a good firewall configured correctly. It’s my understanding and correct me if I’m wrong that that alone could protect you from this vulnerability and that it would be the most effective tool. Maybe they are belt and suspenders.

SMBP

Reply | Quote

I think the link from Symantec I put in above does this as well, but when some significant virus is unleashed or a security problem, I always make it a point to go to Trend’s site because they are always crystal clear and do a great job in general and I want to see what their take is, and what tools they have to offer. I think they may update definitions more currently and intensively than Symantec.

SMBP

Reply | Quote

I think the link from Symantec I put in above does this as well, but when some significant virus is unleashed or a security problem, I always make it a point to go to Trend’s site because they are always crystal clear and do a great job in general and I want to see what their take is, and what tools they have to offer. I think they may update definitions more currently and intensively than Symantec.

SMBP

Reply | Quote

(Edited by jscher2000 on 12-Sep-03 21:53. Link added to disable DCOM.)

> A number of sites have pointed out in the last couple days that this patch from Microsoft to plug the large Port 135 RPC code
> vulnerability should be downloaded but it won’t do the job competently.

What job won’t it do completely? I assume you mean this:

The patch is only intended to address a buffer overflow vulnerability that allows an attacker to take over the computer. Microsoft assumes you want to allow DCOM connections to your computer, and the patch does nothing to change that.[/list]Your reference to Steve Gibson’s tool to turn off DCOM would be a prophylactic against the discovery of future vulnerabilities, as would a firewall disallowing access to port

Reply | Quote

A number of sites have pointed out in the last couple days that this patch from Microsoft to plug the large Port 135 RPC code vulnerability should be downloaded but it won’t do the job competently.

What is much more essential to protect from this vulnerability is a decent firewall, preferably a router plus software firewalls like Norton Personal firewall or Zone Alarm. The Windows XP Firewall that will allow Trojans to ship out is a much less satisfactory choice but better than nothing.

Steve Gibson and Tech TV did articles on this as well, and I think Cowboydawg posted a link to the adjunct they recommend on one of the other threads I couldn’t find at the moment. Gibson’s site and Tech TV endorse using a firewall and DCOMbobulator. From Leo Laporte at Tech TV:

“Microsoft released several patches for the vulnerability, but I don’t have much faith in them. Here’s what I recommend. If you’re not running ZoneAlarm, turn on XP’s built-in Internet Connection Firewall.”

Steve Gibson’s Site and Background on DCOMbobulator

Articles in the media:

Experts Warn of New Worm Threat
The Worms of Sept. 11
New Worm on the Way?

SMBP

Reply | Quote

My question is: Has anyone had any problems as a result of installing this patch?

Reply | Quote

None on my PCs. We’re testing the fix via the usual SMS job at work. But that’s not the usual way individuals do updates!

There are only three modules replaced by the fix, so it would be difficult for them to get it very wrong. The previous fix just didn’t completely fix the problem. The real prerequisite is a firewall, even the inbuilt “ICF” one in Windows XP. Or, preferably, Zone Alarm.

Iterate; annoy customers; get them to incur much expense…

Reply | Quote

None on my PCs. We’re testing the fix via the usual SMS job at work. But that’s not the usual way individuals do updates!

There are only three modules replaced by the fix, so it would be difficult for them to get it very wrong. The previous fix just didn’t completely fix the problem. The real prerequisite is a firewall, even the inbuilt “ICF” one in Windows XP. Or, preferably, Zone Alarm.

Iterate; annoy customers; get them to incur much expense…

Reply | Quote

I haven’t had any problems with it, and a number of people I know haven’t. At an Office 2003 presentation this morning everyone had the patch and no problems. Maybe it’s naive, and I have read some horror stories on patches–“crashed irretrievably broken,” and if anyone has had one I can empathize, but 95 plus % of patch problems I’ve seen or read about are relieved by uninstalling the patch.

With “non-critical” patches, Grant, I think you can well afford to wait and see for a couple weeks–but with the “critical ones” like this one, related to say a problem like the current Port 135 RC code vulnerability I’m weighing the advantage of getting the patch quickly when an attack may be imminent in 48 hours or less and the disadvantage of the patch and I come down overwhelmingly on the side of getting the patch.

I may be not quoting him exactly, but recently Jefferson said something like 2 essentials for protection are an adequate firewall and updating viral definitions and if you have an adequate firewall you’re probably protected here. Because make no mistake–that patch is not adequate in this vulnerability and you either need a competent firewall or the download on Gibson’s site.

One of the the nice by-products of the home networking and small business networking rage the last few years has been the introduction of routers into homes and small businesses that provide a hardware firewall.

SMBP

Reply | Quote

Thanks for the info. I still wouldn’t just blindly install every patch that Microsoft marks as ‘Critical’. After all, they say that upgrading Windows 98 machines to IE 6 SP-1 is ‘Critical’. However, this patch seems to be ‘Super-Critical’, if you will. It would be nice if we could trust Microsoft to not cry wolf. As it is, I have to double check on each and every patch and that is a big waste of my time that I can’t bill out for.

In another of your messages on this topic you mentioned that using firewalls and applying the patch is kind of a belt and suspenders approach. Many would interpret this as indicating that doing both is overkill. I would just like to remind those people that when someone is actively trying to pull your pants down you will be glad to have both the belt and the suspenders. You will still also hold your pants up with your hands while trying to get away from that person and summon the police at the same time. I guess I just wanted to make sure the suspenders weren’t going to snap and hit me in the face with a buckle causing me to release the pants and embarrass myself.

Can I run with an analogy or what?

Reply | Quote

Grant–

You can definitely turn an analogy and I always like seeing them–particularly when you can get JohnGray to expound on the nuances and ramnifications of pants. I can make most people wince with the ones I love to try to use. I didn’t know if Jefferson would tweak my belt and suspenders comment, but I think there would be a lot less problems on the web if everyone were magically set up with decent firewall protection–particularly if everyone had a hardware firewall.

When I help people set up a computer who are new to it for the first time, and they ask “whatdoIhavetohave” I try to encourage them to get at least some kind of router for that reason alone, and then if they set up a network later, they are on their way.

Much is being made of the number of hotfixes, and while it isn’t mentioned as frequently–the more hotfixes necessary to deploy for the OS or the browser or a server creates its own potential subset of problems in and of itself.

Reply | Quote

Grant–

You can definitely turn an analogy and I always like seeing them–particularly when you can get JohnGray to expound on the nuances and ramnifications of pants. I can make most people wince with the ones I love to try to use. I didn’t know if Jefferson would tweak my belt and suspenders comment, but I think there would be a lot less problems on the web if everyone were magically set up with decent firewall protection–particularly if everyone had a hardware firewall.

When I help people set up a computer who are new to it for the first time, and they ask “whatdoIhavetohave” I try to encourage them to get at least some kind of router for that reason alone, and then if they set up a network later, they are on their way.

Much is being made of the number of hotfixes, and while it isn’t mentioned as frequently–the more hotfixes necessary to deploy for the OS or the browser or a server creates its own potential subset of problems in and of itself.

Reply | Quote

Thanks for the info. I still wouldn’t just blindly install every patch that Microsoft marks as ‘Critical’. After all, they say that upgrading Windows 98 machines to IE 6 SP-1 is ‘Critical’. However, this patch seems to be ‘Super-Critical’, if you will. It would be nice if we could trust Microsoft to not cry wolf. As it is, I have to double check on each and every patch and that is a big waste of my time that I can’t bill out for.

In another of your messages on this topic you mentioned that using firewalls and applying the patch is kind of a belt and suspenders approach. Many would interpret this as indicating that doing both is overkill. I would just like to remind those people that when someone is actively trying to pull your pants down you will be glad to have both the belt and the suspenders. You will still also hold your pants up with your hands while trying to get away from that person and summon the police at the same time. I guess I just wanted to make sure the suspenders weren’t going to snap and hit me in the face with a buckle causing me to release the pants and embarrass myself.

Can I run with an analogy or what?

Reply | Quote

I haven’t had any problems with it, and a number of people I know haven’t. At an Office 2003 presentation this morning everyone had the patch and no problems. Maybe it’s naive, and I have read some horror stories on patches–“crashed irretrievably broken,” and if anyone has had one I can empathize, but 95 plus % of patch problems I’ve seen or read about are relieved by uninstalling the patch.

With “non-critical” patches, Grant, I think you can well afford to wait and see for a couple weeks–but with the “critical ones” like this one, related to say a problem like the current Port 135 RC code vulnerability I’m weighing the advantage of getting the patch quickly when an attack may be imminent in 48 hours or less and the disadvantage of the patch and I come down overwhelmingly on the side of getting the patch.

I may be not quoting him exactly, but recently Jefferson said something like 2 essentials for protection are an adequate firewall and updating viral definitions and if you have an adequate firewall you’re probably protected here. Because make no mistake–that patch is not adequate in this vulnerability and you either need a competent firewall or the download on Gibson’s site.

One of the the nice by-products of the home networking and small business networking rage the last few years has been the introduction of routers into homes and small businesses that provide a hardware firewall.

SMBP

Reply | Quote

My question is: Has anyone had any problems as a result of installing this patch?

Reply | Quote

This reference from Symantec’s site may help context the RPC Subsytem:

Symantec Security Response: Multiple Microsoft RPC DCOM Subsystem Vulnerabilities Risk High Dixcovered 9 10 2003

Reply | Quote

This reference from Symantec’s site may help context the RPC Subsytem:

Symantec Security Response: Multiple Microsoft RPC DCOM Subsystem Vulnerabilities Risk High Dixcovered 9 10 2003

Reply | Quote