RE: [ActiveDir] New RPC DOS

[Rick Kingslan]

Title: Message

Joe,   Port 135 may be open, but this patch does not allow the same exploit that blaster/nachi used.  The BoF that was exploited is closed, so the port being open is only a RPC port - until the next vuln is found.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Thursday, September 11, 2003 10:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New RPC DOS I’ve noticed that once this new patch is applied TCP 135 is opened back up, effectively opening ourselves back up to the blaster/lovesan/niachi...  Any idea why?   Joe Pelle Systems Analyst Information Technology Valassis / Targeted Print & Media Solutions 35955 Schoolcraft Rd.   Livonia, MI  48150 Tel 734.632.3753      Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/   This message may have included proprietary or protected information.  This message and the information contained herein are not to be further communicated without my express written consent.   From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 11:18 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] New RPC DOS   But if you use applications like Outlook with Exchange 5.5 then you can’t communicate.   -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 9:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] New RPC DOS   The solution is to do away with RPC entirely - but that's a major rewrite of things. On the other hand, I have plenty of Unix boxes running with RPC disabled and they run fine.   Let's remember RPC's major functionality can be replaced, but that's at the expense of more complex application design.   Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 12:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New RPC DOS Todd,   >> Anyone have a clue as to how Microsoft plans to fix the RPC system to make it more secure?   Concentrate maybe one or two more people on looking at error checking on the input into the arrays/buffers in the RPC code?  ;op   I mean, really - a vuln lays around waiting for someone to find it for years, and in this short of a time 3 more vuls are found in roughly the same area, just different vectors?  I sure hope that there is a team pouring over the code that makes up RPC.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Wednesday, September 10, 2003 2:15 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] New RPC DOS Our Microsoft TAM notified us of this new issue.  I waited to give them time to publish it to the various news sites.    At 9AM PST, PSS will be announcing a new critical security bulletin (MS03-039).   This bulletin will address an RPC denial-of-service vulnerability in Windows products.    Please take the time today to go to the www.microsoft.com/security site to obtain the patch and directions for implementation.    Just trying to help you stay one step ahead!   I think it is very important to get this update on all your DC's even if they are behind a firewall ASAP.  We managed to mitigate blaster but these RPC DOS are starting to get really nasty.   Anyone have a clue as to how Microsoft plans to fix the RPC system to make it more secure?   Thanks,   Todd Myrick