Re: XP Firewall and blaster worm
From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 08/14/03
- Next message: Lanwench [MVP - Exchange]: "Re: licensing"
- Previous message: Doug Okerstrom: "blaster patch download"
- In reply to: Gary: "Re: XP Firewall and blaster worm"
- Next in thread: Andy Cheung: "Re: XP Firewall and blaster worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Aug 2003 22:07:55 -0400
Sorry I couldn't help, did the best I could, given the phrasing of your
question. Just a note - I patched all my servers and workstations with this
about a day after it came out, and have had no trouble whatsoever. I've seen
posts wherein the patch didn't actually install, and posts wherein the patch
was installed over the worm and had problems...but for regular ole installs
over W2k SP3, NT4 SP6a, WinXP unpatched and SP1, no problem.
You asked, "Is there any way blaster can connect to my TCP port 135 if it
happens to find my IP (which is dynamic, being a dialup, and changes on
every connection) while I am connected?" and I answered that you needed the
patch, which is an implied yes. All systems need regular (albeit cautious)
patching, firewall or no. The latter is not a substitute for the former,
even if you're not on a network.
Sorry if I wasn't able to answer this to
your satisfaction, but I'm glad you found what you wanted via searching -
this is all very annoying stuff to us all! :-)
Gary wrote:
> No, you didn't answer the question, and having just spent
> most of the day finding the answer (and I do appreciate
> the mvp post above about checking the security faq's
> before posting, because that put me on the long, long
> trail of answering the question) I can understand why.
> Whew! If you were simply agreeable to immediately (as
> in, "before it has been in the field for a while and
> tested in a variety of environments") installing the
> patch at MS03-026 (and as I suspected, I have seen a lot
> of people posting today developing immediate problems
> with installing the patch--who tests the tester?)then you
> would indeed fix the basic problem, i.e., the failure of
> Windows RPC service to properly check message inputs
> under certain circumstances, which would cause a buffer
> overrun which would permit an attacker to execute
> arbitary code (presumably through the underlying DCOM
> interface which listens to RPC without properly checking
> the data passed to it--hence the patch)--the "exploit"
> code in the blaster case, which then spawns a remote
> shell on port 4444 and uses TFTP to download msblast.exe
> and run it (I noted an interesting stopgap defense here
> today--disable access to tftp.exe with NTFS
> security/access permissions). Anyway, to answer my own
> question, XP ICF will block the probes to TCP port 135
> (where DCOM listens by way of RPC) among others by which
> blaster typically gains access to RPC (and I had my port
> probed to verify this--it gave the prober the silent
> treatment). In conjunction with the disabling of CIS (COM
> Internet Services) and its follow on RPC over HTTP I
> should be safe for time being, at least until the wily
> attackers find another vector by which to get to the
> underlying RPC/DCOM error--which is admittedly a good
> reason for accepting the patch at some point down the
> line. The fact that my virus definitions now include the
> w32 blaster worm should also harden my defenses, whatever
> the vulnerability of the underlying RPC/DCOM software.
>> -----Original Message-----
>> I answered your question, I think - everyone needs the patch. Even
>> dynamic IPs, dialup accounts, are susceptible.
>>
>> Gary wrote:
>>> Not to be rude, but if I had wanted company policy I am
>>> aware of that. I would still like to see a response from
>>> someone with the technical expertise to reply directly to
>>> the issues I raised in the initial posting. Thanks.
>>>> -----Original Message-----
>>>> Everyone needs the patch - no ifs, ands or buts. I'm not convinced
>>>> the XP firewall is the greatest thing since sliced bread, but even
>>>> the best firewall is no substitute for regular patching.
>>>>
>>>> Gary wrote:
>>>>> I run XP Home and always have the XP firewall
> enabled on
>>>>> my dialup connection. I also have the w32.Blaster.Worm
>>>>> virus definition in my virus scan software. I never allow
>>>>> the automatic update service to run (always disabled- -I
>>>>> have always taken a dim view of automatic software
>>>>> downloads and/or installations, also, "better the devil
>>>>> you know than the devil you don't"--give me a service
>>>>> pack update a year or two down the pike). Is there any
>>>>> way blaster can connect to my TCP port 135 if it happens
>>>>> to find my IP (which is dynamic, being a dialup, and
>>>>> changes on every connection) while I am connected? I
>>>>> can't find the particular port blocking menu, which I
>>>>> have seen somewhere in the maze of menus on xp in the
>>>>> past. I don't allow any remote access to any
> services on
>>>>> my computer (in the firewall settings menu). Do I still
>>>>> need the patch, and if so, why?
>>>>
>>>>
>>>> .
>>
>>
>> .
- Next message: Lanwench [MVP - Exchange]: "Re: licensing"
- Previous message: Doug Okerstrom: "blaster patch download"
- In reply to: Gary: "Re: XP Firewall and blaster worm"
- Next in thread: Andy Cheung: "Re: XP Firewall and blaster worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
