DCOM worm & Itanium machines

From: Dallman, John (john.dallman_at_EDS.COM)
Date: 08/13/03

  • Next message: Gavin Haslett: "MS03-026 Update Problems?"
    Date:         Wed, 13 Aug 2003 06:39:45 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Itanium machines don't seem to be vulnerable to being infected
    by this virus, but it is worth patching them anyway.

    Microsoft have produced patches for MS03-026 for Itanium, and
    I've tried them out, with apparent success. There are two Itanium
    patches: the one for "Windows XP 64-bit" is for the first version
    of XP for Itanium, released in 2001, which runs on the older
    Intel-manufactured boxes with Itanium I ("Merced") processors.

    That patch won't install on the 2003 version of XP for Itanium,
    which is needed for the new HP-built machines, with Itanium II
    ("McKinley" or "Madison") processors. It seems that you seem to
    have to use the patch for Windows Server 2003 64-bit, which
    installs happily.

    Since the network attack for this worm (as far as I understand
    it) relies on pushing some x86 machine code to somewhere that
    it will get executed, via the buffer overflow, I believe Itanium
    machines won't actually be infected. While an Itanium can run
    x86 code, it has to execute a mode-switch instruction to stop
    understanding its normal 64-bit instruction set and start
    understanding 32-bit x86 code. I seriously doubt that that
    instruction has been used in the attack code, given the rarity
    of Itanium machines. An Itanium version of the infecting code
    is doubtless possible, and the buffer overflow could presumably
    be used for DoS attacks against DCOM servers, so patching
    Itanium machines will be worthwhile.

    --
    John Dallman, Parasolid Porting Engineer, +44-1223-371554
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available.  And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to
    http://www.trusecure.com/offer/s0100/
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    

  • Next message: Gavin Haslett: "MS03-026 Update Problems?"