New RPC hotfix from Microsoft

[Paul Adams]

Microsoft have issued an updated hotfix for the RPC service on NT/2000/XP/2003-based machines.

The RPC exploit was the one used by the BLASTER worm in August, causing PCs to reboot, infect others PCs and attempt a denial of service on Windows Update.

Microsoft have taken a look into the RPC service in more detail and found some more potentially-exploitable vulnerabilities, so here's a new patch...

Running Windows Update should show you the critical patch(es) you need to apply, but here's the Microsoft Security Bulletin:
http://www.microsoft.com/technet/tre...n/MS03-039.asp

Microsoft Security Bulletin MS03-039

Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
Originally posted: September 10, 2003

Summary
Who should read this bulletin: Users running Microsoft® Windows ®

Impact of vulnerability: Three new vulnerabilities, the most serious of which could enable an attacker to run arbitrary code on a user’s system.

Maximum Severity Rating: Critical

Recommendation: System administrators should apply the security patch immediately

http://www.microsoft.com/security/se.../ms03-039.asp.

Affected Software:

Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server® 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

[Moby-Dick]

the patch is also on windows update for the brave

there is also a winamp 2.9 vulnerability I found out about yesterday - let me know if you want more details.

[CrimsonAvenger]

Guess what I'll be doing for the next few weeks at work - AGAIN!

Everytime these patches come out I get square eyes from staring at a million and one bloody servers!

[tonicblue]

Thanks for the info. What is this winamp 2,9 exploit. im interested now. do you have any more info. Cheers

[Darkmatter]

Yet another hole in the Swiss cheese product that is Windows,
im glad we dont have to pay for these updates.

[Moby-Dick]

Originally posted by CrimsonAvenger
Guess what I'll be doing for the next few weeks at work - AGAIN!

Everytime these patches come out I get square eyes from staring at a million and one bloody servers!

Have you had a play around with GFI Network Security Scanner ?

It can be used to automate patch deployment and does some nice Security AUditing while you are at it

Paul have you tried it either , It seems pretty nifty

[Moby-Dick]

Originally posted by tonicblue
Thanks for the info. What is this winamp 2,9 exploit. im interested now. do you have any more info. Cheers

from the Watchguard Livesecurity notification I got.

Buffer Overflow in Winamp
Severity: Medium
09 September 2003

Summary:
In a post to Bugtraq, security researcher Luigi Auriemma disclosed a buffer overflow vulnerability in the popular MP3 player, Winamp. This vulnerability could allow an attacker to execute code on your users' systems with their permissions. There is no direct impact on WatchGuard's products. If your clients use Winamp, see the Solution section below; there is no patch, but there is a workaround that reduces risk.

Exposure:
Winamp is a very popular media player used primarily to play MP3 music files. Although Winamp is not a business application, we've found that many employees install popular client applications like Winamp without your authorization. Even if Winamp isn't part of your official corporate desktop image, some of your users probably have it on their systems.

In his advisory, Luigi Auriemma disclosed a new buffer overflow vulnerability directly affecting Winamp 2.91 (and earlier versions), and slightly affecting Winamp 3. Auriemma found that a specially malformed MIDI file can cause a buffer overflow in Winamp and, in some cases, allow an attacker to execute code on your user's system. If your user has local administrative privileges, an attacker might exploit this flaw to gain control of your user's machine. In his testing, Auriemma found that he could exploit this overflow in Winamp 2.91 (and earlier versions) to execute code. However, although Winamp 3 seemed susceptible to the flaw, he could not exploit it to run programs and only succeeded in crashing Winamp.

Since Web designers can embed MIDI files so they begin playing as soon as you visit a Web site, a hacker can exploit this issue simply by enticing your users to his malicious Web site or sending them an HTML e-mail. However, the exploit will work only on clients that use Winamp as their default MIDI player.

Solution Path:
Currently, Nullsoft has not released a patch correcting this flaw. Auriemma claims to have contacted Nullsoft about the vulnerability a month ago but says he has not received a response concerning a patch. He decided to release his advisory early, and has also supplied the following workaround.

Your users can easily block exploitation of this flaw by changing their default player for MIDI files. To do so, run Windows Explorer and click Tools => Folder Options => File Types tab. Scroll down in the "Registered files types:" window and highlight the "MID" file extension. Press the Change button and select a new default application for MIDI files. You can select any application that plays this file type; for example, Windows Media Player, which is installed on all Windows systems, will work. (However, Windows Media Player has had security problems of its own -- if you encourage users to choose it as a default MIDI player, make sure they're using a current, patched version.) Now if one of your users were to visit a malicious site exploiting this vulnerability, the malformed MIDI file would open in the newly assigned program rather than the vulnerable Winamp, and the attacker's buffer overflow exploit will not function.

Status:
A patch is still pending.

[tonicblue]

cheers moby

[Paul Adams]

Have you had a play around with GFI Network Security Scanner ?

Can't say I've heard of that one - at work we use a combination of SUS, MBSA and a custom VB scripting program executed from the login script.

We have Christ knows how many systems analysis tools installed on our clients, to make sure the silly sods - sorry, users, I always make that mistake - don't go installing stuff or running executable attachments called "hi_i'm_a_virus_please_run_me.exe" that appear to come from their friends.

We really are BOFH's in Tech Support where I work >:-)
We even force the Outlook clients to open all email as plain text to prevent any dodgy scripting loopholes.
(Well, that's the official line, really it's because we hate RTF and HTML emails - one guy in Marketing even put an animated GIF and a marquee message in his signature!)

If I'd been working there at day #1, I'd have implemented mandatory profiles too, given the state some of these PCs get in

[Moby-Dick]

how many users do you support ?

[Paul Adams]

Around 950 users, over 53 sites connected to head office via a WAN.

The satellite branches are only a few users, though - majority of PCs/users at in 2 adjacent buildings.

[Moby-Dick]

Id love to be able to implement such a draconian system for my clients , but as a small outsourcer , Its hard to justify it

still the systems that I've been allowed to design have always been reaosnably locked down - its the ones where we've taken over previous / non-existant support its been a nightmare

[Paul Adams]

If it makes you feel any better Moby, the first place I worked at had some very "interesting" legacy systems:

Day-end routines completely controlled through batch files.
Backups of data performed by users, using floppy disks.
A 75-year old MD (yes, really - he was still MD when I left in 2000), the company got taken over shortly afterwards).

I could go on...


I think the best bit, though, is how the first company used an IPX network until one day we moved buildings and my boss (the IT manager) discovered this thing call "TCP/IP" in the Microsoft "Networking Fundamentals" book.

Well... next thing we know, we've got an IP structure on our LAN... using IP addresses directly taken from the Microsoft examples... using (IIRC) 131.x.x.x addresses, internally.

"Subnet mask? What's one of those?" was mentioned when a couple of workstations failed to see the others, one day...


This is a company who installed tills with proprietry DOS-based software... running on Windows 95... storing EFT data in nicely formatted plain text files (basically the customer's track 2 data off their card, plus the amount and date of the transaction)...

*shudder*