Worms shut down thousands of Windows PCs

Worms shut down thousands of Windows PCs

By Brian Livingston

I reported in the last issue of Brian’s Buzz on the “port 135” security hole that Microsoft recently described as critical. This flaw affects not only Windows XP, 2000, and NT 4.0, but also the much-hyped new Windows Server 2003. Microsoft has released a patch, but most people haven’t installed it yet. Well, time’s running out – worms that exploit the flaw started making attempts to hit every PC on the Internet just a couple of weeks after the vulnerability became publicly known.

As I write this, Stanford University has reported that 2,400 of its roughly 20,000 campus PCs were infected in a matter of days by worms that took advantage of this hole. Malicious “Trojan” code that was deposited onto the machines’ disks may take weeks to clean out of the systems, said Cedric Bennett, Stanford’s director of information security services in a statement.

Even worse, the University of California at Berkeley announced that, due to the same attacks, it was being forced to shut down all access from outside the campus to its Windows-based file sharing and Exchange servers for a period of four days.

If you haven’t yet secured your own systems against this hole, jump to my July 24 issue and read about the steps you need to take. To send me more information about this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.

One critical patch you probably don’t know you need

Aside from the worms described above, Microsoft recently started warning Windows users about a separate threat that would allow a malicious person within your intranet to gain system privileges.

A snag in this alert, however, is that fact that Microsoft’s Windows Update service will not notify users of Windows XP, 2000, Me, or 9x that an update even exists. Only those few installations that are currently running Windows Server 2003 will receive a notice from Windows Update about the problem and the availability of its patch.

The security hole involves Microsoft’s SQL Server program. Many people who are affected, however, are totally unaware that they have an instance of SQL Server present. That’s because SQL Server is silently installed as part of other applications, including the Microsoft Data Engine 1.0 and Microsoft Desktop Engine (MSDE).

To determine whether a machine has a copy of SQL Server that may need patching, search all drives and folders for a file named sqlservr.exe. If that file is present, it should be considered for upgrading.

For details on the upgrade procedures for the different program versions that are vulnerable, read Microsoft security bulletin MS03-031 and Knowledge Base article 815495.

How to upgrade the Java VM on Windows 2000 SP4

W2K SP4 also won’t allow an updated version of the VM to be installed, as advised by the “critical” security bulletin MS03-011, if the VM was never installed in the first place.

Reader Patrick Slattery explained that he has to first install Windows 2000 with Service Pack 3 – then upgrade the VM, then upgrade to SP4 – in order to run Java services that are written in J++. That’s a lot of work.

Reader Michael Calabrese points out that Microsoft has released an updated hotfix for the VM that can be installed after W2K SP4.

As far as I can determine, you can use the following procedure to upgrade the VM on W2K SP4 so it’s immune to the security problem:

• Step 1. You must first ensure that the Microsoft VM is installed. In Windows 2000 (any service pack level), click Start, Run, and then type cmd in the Open box. Click OK. In the DOS box that appears, type jview and press Enter.
• Step 2. If you see an error message that begins, “jview is not recognized…”, then the VM is not installed. You need to install it from an earlier version of Windows or from a redistributable version provided by a third party.
• Step 3. If the JM is installed, you can now upgrade it on W2K SP4 by using Windows Update, according to Microsoft Knowledge Base article 820101.
• Step 4. A better way is to download a file that can be distributed to multiple computers in your organization that have the VM installed. To do this, visit the Windows Update Catalog page. (The catalog is not compatible with Windows NT 4.0, so a later Windows version must be used.)
• Step 5. In the left-hand navigation bar of the page, click “Find Microsoft Windows Updates.” Select Windows 2000 SP4, then click the Search button. In the list of categories of downloads that appears, click “Critical Updates and Service Packs.” A list of downloads will be generated.
• Step 6. Scroll down to the item named 816093. Click the Add button to add this to your Download Basket. Click “Go to download basket.” Click the Browse button to specify a location on your drive to download the file. Click the Download Now button. Click the Accept button to accept the license agreement. Use the downloaded file to install the VM upgrade.

Be sure to read Knowledge Base articles 820101, 816093, and 163637 for complete information about this process.

Language and SSL settings can hose Windows Update

I reported in my June 5 issue that Microsoft’s Windows Update program can say that a PC requires no updates when the machine, in fact, is in need of several. Reader Jeremy Rosenblatt found that the system clock not being accurate can trigger this behavior. Erroneous times are common when initially setting up a PC.

Now Aaron Campagne brings more meat to the stew. Microsoft’s Product Support Services has confirmed to him that a PC’s language and SSL (Secure Sockets Layer) settings, in addition to its clock, can cause Windows Update to blank out on updates.

Aaron says, “I was experiencing this proplem on my own PC (Windows XP Professional with IE 6.0). I used all of the solutions you listed in this and another article that I believe was yours as well, but to no avail. I contacted Microsoft directly and they gave me the solution to the problem. My language settings were not correct.”

The following is the diagnosis by a Microsoft representative of the different kinds of problems that can befuddle Window Update:

• “I understand that you have recently formatted your hard drive and there are no updates offered to download after the scan at the Windows Update site. … We have found that this can be caused if the date on your system is not correct. …

  “This issue might also occur if the Language settings in Internet Explorer are not set correctly. To Set the correct Language in Internet Explorer:

  1. Launch Internet Explorer.
  2. Click the Tools menu and then choose Internet Options.

  Click the Languages button on the General tab.

• Make sure “English (United States) [en-us]” is at the top of the list. If it is not either move it or add it.

“Now try and download updates from the Windows Update site. If this does not resolve the issue, please follow the steps given below.

“This might also have been caused by SSL (Secure Sockets Layer).

1. Click Start, point to Settings, and click Control Panel.
2. Double-click the Internet icon.
3. Click the Advanced tab.
4. Under Security, select one of the following check boxes:
      PCT 1.0
      SSL 2.0
      SSL 3.0

“Click OK.

In the Microsoft rep’s discussion of SSL, above, I’d add the fact that you should probably try turning on SSL 3.0 first. If that doesn’t solve the problem, then turn it off and turn on SSL 2.0, and so forth.

The mysteries of Windows Update can indeed be perplexing. But at least my readers are making some headway in puzzling them out.

Big strides in free security utilities from Steve Gibson

Steve Gibson, the developer of the SpinRite disk guardian, is a respected security consultant who’s made many tools available without charge over the years. I’d say he’s outdone himself this time. He’s completed a major overhaul of his “ShieldsUP!” diagnostic service plus releasing a completely new utility that’ll solve your “messenger spam” problem for good.

• New ‘ShieldsUP!’ boasts greatly enhanced scanning
  Gibson’s famous ShieldsUP! routine is said to have been run more than 20 million times over the past four years by an unknown number of concerned Internet users. (People testing their machines are likely to run the test over and over before achieving an improved security state.)

  This old warhorse of a program has been completely revamped. It can now test your machine in less than a minute for vulnerabilities on all 1,056 ports that malicious hackers might try to exploit. (That number includes the 1,023 “normal” ports that most Internet services are restricted to, in addition to a few above 1,023 that Microsoft has quietly placed Windows services on, opening security risks.) Alternately, you can click a button to test only the most common ports, or even a single port, within a mere second or two.

  The image at left shows a tiny example of ShieldsUP’s new capabilities. In this diagram, each of the 1,056 tested ports is represented by a red, blue, or green square that’s only 2 pixels high by 2 pixels wide. (The actual display is much larger, like that of a defragger at work.) The blue pixels at the top show that the first few ports that were tested by ShieldsUP! were closed (present but unavailable for hacking). Suddenly, firewall software in the machine detected that someone was scanning ports. In defense, the firewall stopped identifying the state of any ports. The remaining ports show up in the diagram as green (not present and therefore not interesting for hacking).

  Gibson explains all of this – and how you can use the information to secure your machines to the greatest extent possible – at his site. The details can be a bit overwhelming, but stick with it. ShieldsUP! has brought Windows misconfigurations to the attention of millions of PC users, and it can do lots more tricks for you today than ever before. More info

• ‘Shoot the Messenger’ eliminates messenger spam permanently
  Gibson’s other new program halts a growing form of spam that’s found its way onto the Internet in the past few months. “Shoot the Messenger” stops spammers from using UDP port 135 to display advertising messages that “pop-up” on users’ screens. This port was originally intended to send important admin messages across a LAN. (It’s unrelated to instant messenger programs such as AIM.) But spammers have figured out how to exploit it remotely.

  No one needs Microsoft’s network messenger, since newer IM programs serve the purpose better. But the old network message system is enabled by default in Windows 2000 and XP. This potentially exposes PC users to an endless stream of irritating messages as spammers quickly develop and expand this technique.

  Gibson’s “Shoot the Messenger” utility is a tiny, 22 KB program that simply disables the network service and then re-enables it whenever you want. Unless your company is dependent upon Microsoft’s network messenger, you should kill it as just another needless security hole. More info

My thanks to reader Graham Rollings for his help with this topic.

A celebration of political moderation

Reader Larry Best nominated as this week’s wacky site a Web project that he himself helped put together. It’s “Sherman P. Wright’s Celebration of Political Moderation.” It’s billed as Republicans poking fun at the “Big-C Conservatives” of their own party. But I found that the site takes a few pot shots at liberals for good measure, too.

The site’s obviously just getting started, but a few funny pages are already there, and more material is solicited with open arms. “Moderate comments are welcome,” is I think the way they put it. Take a look for yourself. You might even be able to submit some moderately amusing thoughts. It’s at Sherwright.com (you’re sure right, get it?).