Re: !!READ-easy way to fix the new worm-XP!!
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 08/13/03
- Next message: Antnee: "worm patch"
- Previous message: Karl Levinson [x y] mvp: "Re: new blaster.worm"
- In reply to: Lord Midian: "!!READ-easy way to fix the new worm-XP!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Aug 2003 11:28:03 -0400
"Lord Midian" <lordmidian13@hotmail.com> wrote in message
news:0bc501c3618a$ba5f8870$a501280a@phx.gbl...
> I posted this already but some must of missed it goto
> your desktop right click my computer goto manage
> then services and applications then services look for
> remote procedure call and disable the second one, the
NO NO NO.
You need to install the patch, and you need to use antivirus, and you need
to use a firewall. Disabling DCOM may or may not secure your system from
this vulnerability, and it does NOTHING NOTHING NOTHING to secure your
machine from other vulnerabilities. Also, are you sure you don't have an
application that needs DCOM on it? www.grisoft.com is free antivirus,
www.windowsupdate.com is free Microsoft patches, and www.sygate.com and
www.kerio.com are free firewalls. What could be easier?
See below. Disabling DCOM, as has been recommended here and elswhere
recently, does not appear to remove the DCOM RPC vulnerability, at least in
some versions of Windows 2000. This is from NTBugTraq.
-----Original Message-----
From: Marc Maiffret [mailto:marc@EEYE.COM]
Sent: Tuesday, August 12, 2003 3:28 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: DCOM not disabled on Win2k SP0,1,2
Thanks much for the eMail Tod. It should be noted that I just spoke to
Microsoft and they can confirm that DCOM does not truly become disabled on
Windows 2000 SP0, SP1, SP2. Even if you set the registry key and restart or
use the DCOM config tool and restart, your still vulnerable to the DCOM bug.
Once again Microsoft confirmed this with me on the phone just a little while
ago. Most of us have been saying this the past few days, or weeks in Tod's
case, but a few people still wanted to hear it from MS themselves that this
information is accurate. It is accurate.
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
| -----Original Message-----
| From: Tod Beardsley [mailto:todb@planb-security.net]
| Sent: Tuesday, August 12, 2003 12:32 PM
| To: Marc Maiffret
| Subject: Re: reports of DCOM worm on the loose...Report #4
|
|
| You posted on NTBugTraq:
|
| > DCOM is not "really" disabled and you are still vulnerable. We have
| > seen this with a few customers of ours and also testing in our lab.
| > Anyone else have the same experience?
|
| Yup. Documented on Jul 28:
|
| "Oh, and in case you have 1000s of workstations and would prefer to
| simply disable DCOM over RPC (with, say, dcomcnfg.exe), don't bother. I
| tested this today on Windows 2000, and even after disabling, removing
| all permissions, and unbinding all protocols, and reboots in between,
| the target was still plenty exploitable." - Me
|
| Just in case you're still gathering data points.
- Next message: Antnee: "worm patch"
- Previous message: Karl Levinson [x y] mvp: "Re: new blaster.worm"
- In reply to: Lord Midian: "!!READ-easy way to fix the new worm-XP!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
