DCOM worm & Itanium machines
From: Dallman, John (john.dallman_at_EDS.COM)
Date: 08/13/03
- Previous message: Schmidt, Tobias E: "Re: GPO blaster scripts -- http://www.winona.edu/its/downloads/msblast.htm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Aug 2003 06:39:45 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Itanium machines don't seem to be vulnerable to being infected
by this virus, but it is worth patching them anyway.
Microsoft have produced patches for MS03-026 for Itanium, and
I've tried them out, with apparent success. There are two Itanium
patches: the one for "Windows XP 64-bit" is for the first version
of XP for Itanium, released in 2001, which runs on the older
Intel-manufactured boxes with Itanium I ("Merced") processors.
That patch won't install on the 2003 version of XP for Itanium,
which is needed for the new HP-built machines, with Itanium II
("McKinley" or "Madison") processors. It seems that you seem to
have to use the patch for Windows Server 2003 64-bit, which
installs happily.
Since the network attack for this worm (as far as I understand
it) relies on pushing some x86 machine code to somewhere that
it will get executed, via the buffer overflow, I believe Itanium
machines won't actually be infected. While an Itanium can run
x86 code, it has to execute a mode-switch instruction to stop
understanding its normal 64-bit instruction set and start
understanding 32-bit x86 code. I seriously doubt that that
instruction has been used in the attack code, given the rarity
of Itanium machines. An Itanium version of the infecting code
is doubtless possible, and the buffer overflow could presumably
be used for DoS attacks against DCOM servers, so patching
Itanium machines will be worthwhile.
-- John Dallman, Parasolid Porting Engineer, +44-1223-371554 oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Schmidt, Tobias E: "Re: GPO blaster scripts -- http://www.winona.edu/its/downloads/msblast.htm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
