Results 1 to 13 of 13

Thread: New RPC hotfix from Microsoft

  1. #1
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber

    New RPC hotfix from Microsoft

    Microsoft have issued an updated hotfix for the RPC service on NT/2000/XP/2003-based machines.

    The RPC exploit was the one used by the BLASTER worm in August, causing PCs to reboot, infect others PCs and attempt a denial of service on Windows Update.

    Microsoft have taken a look into the RPC service in more detail and found some more potentially-exploitable vulnerabilities, so here's a new patch...

    Running Windows Update should show you the critical patch(es) you need to apply, but here's the Microsoft Security Bulletin:
    http://www.microsoft.com/technet/tre...n/MS03-039.asp


    Microsoft Security Bulletin MS03-039

    Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
    Originally posted: September 10, 2003

    Summary
    Who should read this bulletin: Users running Microsoft® Windows ®

    Impact of vulnerability: Three new vulnerabilities, the most serious of which could enable an attacker to run arbitrary code on a user’s system.

    Maximum Severity Rating: Critical


    Recommendation: System administrators should apply the security patch immediately

    http://www.microsoft.com/security/se.../ms03-039.asp.

    Affected Software:

    Microsoft Windows NT Workstation 4.0
    Microsoft Windows NT Server® 4.0
    Microsoft Windows NT Server 4.0, Terminal Server Edition
    Microsoft Windows 2000
    Microsoft Windows XP
    Microsoft Windows Server 2003
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  2. #2
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,662
    Thanks
    53
    Thanked
    383 times in 313 posts
    the patch is also on windows update for the brave

    there is also a winamp 2.9 vulnerability I found out about yesterday - let me know if you want more details.
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  3. #3
    Senior Member
    Join Date
    Jul 2003
    Posts
    792
    Thanks
    15
    Thanked
    9 times in 9 posts
    Guess what I'll be doing for the next few weeks at work - AGAIN!

    Everytime these patches come out I get square eyes from staring at a million and one bloody servers!


  4. #4
    | 4|\/| 31337!!!!!!1
    Join Date
    Jul 2003
    Location
    Stourbridge, West midlands, England
    Posts
    445
    Thanks
    0
    Thanked
    0 times in 0 posts
    Thanks for the info. What is this winamp 2,9 exploit. im interested now. do you have any more info. Cheers

    Arguing with an administrator is like kicking God in the nuts

  5. #5
    Senior Member
    Join Date
    Jul 2003
    Location
    Out There......
    Posts
    223
    Thanks
    1
    Thanked
    0 times in 0 posts
    Yet another hole in the Swiss cheese product that is Windows,
    im glad we dont have to pay for these updates.

  6. #6
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,662
    Thanks
    53
    Thanked
    383 times in 313 posts
    Originally posted by CrimsonAvenger
    Guess what I'll be doing for the next few weeks at work - AGAIN!

    Everytime these patches come out I get square eyes from staring at a million and one bloody servers!

    Have you had a play around with GFI Network Security Scanner ?

    It can be used to automate patch deployment and does some nice Security AUditing while you are at it

    Paul have you tried it either , It seems pretty nifty
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  7. #7
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,662
    Thanks
    53
    Thanked
    383 times in 313 posts
    Originally posted by tonicblue
    Thanks for the info. What is this winamp 2,9 exploit. im interested now. do you have any more info. Cheers
    from the Watchguard Livesecurity notification I got.

    Buffer Overflow in Winamp
    Severity: Medium
    09 September 2003

    Summary:
    In a post to Bugtraq, security researcher Luigi Auriemma disclosed a buffer overflow vulnerability in the popular MP3 player, Winamp. This vulnerability could allow an attacker to execute code on your users' systems with their permissions. There is no direct impact on WatchGuard's products. If your clients use Winamp, see the Solution section below; there is no patch, but there is a workaround that reduces risk.

    Exposure:
    Winamp is a very popular media player used primarily to play MP3 music files. Although Winamp is not a business application, we've found that many employees install popular client applications like Winamp without your authorization. Even if Winamp isn't part of your official corporate desktop image, some of your users probably have it on their systems.

    In his advisory, Luigi Auriemma disclosed a new buffer overflow vulnerability directly affecting Winamp 2.91 (and earlier versions), and slightly affecting Winamp 3. Auriemma found that a specially malformed MIDI file can cause a buffer overflow in Winamp and, in some cases, allow an attacker to execute code on your user's system. If your user has local administrative privileges, an attacker might exploit this flaw to gain control of your user's machine. In his testing, Auriemma found that he could exploit this overflow in Winamp 2.91 (and earlier versions) to execute code. However, although Winamp 3 seemed susceptible to the flaw, he could not exploit it to run programs and only succeeded in crashing Winamp.

    Since Web designers can embed MIDI files so they begin playing as soon as you visit a Web site, a hacker can exploit this issue simply by enticing your users to his malicious Web site or sending them an HTML e-mail. However, the exploit will work only on clients that use Winamp as their default MIDI player.

    Solution Path:
    Currently, Nullsoft has not released a patch correcting this flaw. Auriemma claims to have contacted Nullsoft about the vulnerability a month ago but says he has not received a response concerning a patch. He decided to release his advisory early, and has also supplied the following workaround.

    Your users can easily block exploitation of this flaw by changing their default player for MIDI files. To do so, run Windows Explorer and click Tools => Folder Options => File Types tab. Scroll down in the "Registered files types:" window and highlight the "MID" file extension. Press the Change button and select a new default application for MIDI files. You can select any application that plays this file type; for example, Windows Media Player, which is installed on all Windows systems, will work. (However, Windows Media Player has had security problems of its own -- if you encourage users to choose it as a default MIDI player, make sure they're using a current, patched version.) Now if one of your users were to visit a malicious site exploiting this vulnerability, the malformed MIDI file would open in the newly assigned program rather than the vulnerable Winamp, and the attacker's buffer overflow exploit will not function.

    Status:
    A patch is still pending.
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  8. #8
    | 4|\/| 31337!!!!!!1
    Join Date
    Jul 2003
    Location
    Stourbridge, West midlands, England
    Posts
    445
    Thanks
    0
    Thanked
    0 times in 0 posts
    cheers moby

    Arguing with an administrator is like kicking God in the nuts

  9. #9
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Have you had a play around with GFI Network Security Scanner ?
    Can't say I've heard of that one - at work we use a combination of SUS, MBSA and a custom VB scripting program executed from the login script.

    We have Christ knows how many systems analysis tools installed on our clients, to make sure the silly sods - sorry, users, I always make that mistake - don't go installing stuff or running executable attachments called "hi_i'm_a_virus_please_run_me.exe" that appear to come from their friends.

    We really are BOFH's in Tech Support where I work >:-)
    We even force the Outlook clients to open all email as plain text to prevent any dodgy scripting loopholes.
    (Well, that's the official line, really it's because we hate RTF and HTML emails - one guy in Marketing even put an animated GIF and a marquee message in his signature!)

    If I'd been working there at day #1, I'd have implemented mandatory profiles too, given the state some of these PCs get in
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  10. #10
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,662
    Thanks
    53
    Thanked
    383 times in 313 posts
    how many users do you support ?
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  11. #11
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Around 950 users, over 53 sites connected to head office via a WAN.

    The satellite branches are only a few users, though - majority of PCs/users at in 2 adjacent buildings.
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  12. #12
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,662
    Thanks
    53
    Thanked
    383 times in 313 posts
    Id love to be able to implement such a draconian system for my clients , but as a small outsourcer , Its hard to justify it

    still the systems that I've been allowed to design have always been reaosnably locked down - its the ones where we've taken over previous / non-existant support its been a nightmare
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  13. #13
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    If it makes you feel any better Moby, the first place I worked at had some very "interesting" legacy systems:

    Day-end routines completely controlled through batch files.
    Backups of data performed by users, using floppy disks.
    A 75-year old MD (yes, really - he was still MD when I left in 2000), the company got taken over shortly afterwards).

    I could go on...


    I think the best bit, though, is how the first company used an IPX network until one day we moved buildings and my boss (the IT manager) discovered this thing call "TCP/IP" in the Microsoft "Networking Fundamentals" book.

    Well... next thing we know, we've got an IP structure on our LAN... using IP addresses directly taken from the Microsoft examples... using (IIRC) 131.x.x.x addresses, internally.

    "Subnet mask? What's one of those?" was mentioned when a couple of workstations failed to see the others, one day...


    This is a company who installed tills with proprietry DOS-based software... running on Windows 95... storing EFT data in nicely formatted plain text files (basically the customer's track 2 data off their card, plus the amount and date of the transaction)...

    *shudder*
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •