[ISN] Organizations scramble to patch Microsoft flaws

From: InfoSec News (isnat_private)
Date: Fri Sep 12 2003 - 00:15:00 PDT

  • Next message: InfoSec News: "[ISN] Just Say No to Viruses and Worms"

    By Paul Roberts
    IDG News Service
    Organizations that use Microsoft's Windows software were scrambling
    Thursday to patch vulnerable systems after the company sent word on
    Wednesday of three more critical Windows software vulnerabilities.
    Marathon patching sessions, anti-virus updates and expressions of
    frustration with the Redmond, Wash., software maker were the norm, as
    systems administrators rushed to protect themselves from any other
    Blaster-style worm that may appear and exploit the new security holes.
    The critical holes were found in an interface to a Windows component
    called the RPCSS service and affected almost every version of Windows.  
    The RPCSS service processes messages using the RPC (Remote Procedure
    Call) protocol, which software programs running on different machines
    use to communicate, according to Microsoft Security Bulletin MS03-039.
    That made the latest bulletin similar to another recent RPC
    vulnerability, MS03-026, which was later used by the W32.Blaster and
    W32.Welchia worms to infect computers worldwide.
    For that reason and others, companies affected by the new
    vulnerabilities wasted no time in mobilizing staff to patch their
    Windows systems.
    IT staff at the Maryland Department of the Environment immediately
    began deploying patches to affected servers and user workstations. The
    department manages about 1,200 machines in total, with Windows on
    almost 100% of the workstations and many of its servers, according to
    Hank Torrance, lead networks specialist at the Department.
    Unlike their colleagues in the state's Motor Vehicle Administration
    who had to contend with a massive Blaster outbreak, staff at the
    Department of Environment successfully applied the earlier Microsoft
    RPC patch, MS03-026, in July and were spared Blaster's wrath, Torrance
    The department is using the same approach with the latest
    vulnerabilities: relying on the built-in Windows Update feature to
    patch desktops and Novell's ZENworks configuration management tool to
    push the patch out to affected Windows servers, he said.
    The Blaster worm had a profound effect on the way that technical staff
    at Young Electric Sign Co. (YESCO) reacted to Microsoft's
    The Salt Lake City maker of custom signs and electric displays spent
    five days in August digging out from the Welchia (or "Nachi") worm, a
    Blaster derivative, which infected around 50 of the company's 650 host
    machines and shut down operations in two branch offices, according to
    Bret Anderson, network manager at YESCO.
    In the past the company's reaction to patches, including the last
    major RPC patch, was relaxed, he said.
    "You know, Microsoft comes out with patches once a week. So we'd say
    'maybe I'll get to it this week, maybe next week,'" Anderson said.
    Generally, staff was prompt in patching servers, according to
    "But clients? Whatever," he said.
    This time around, Anderson summoned the other network administrators
    immediately upon learning of the new RPC holes and called for an
    all-out effort to get affected systems patched, he said.
    "I told them 'I guess we're gonna have a late night. Get patching,'"  
    Anderson said.
    The company's eight-member IT staff were still busy Thursday
    afternoon, but Anderson expects to have all affected server and
    desktop machines patched by this weekend, he said.
    Anderson also modified YESCO's routers to block RPC and UDP traffic,
    just to be sure, he said.
    To prevent infection from worms and viruses that might use the new
    vulnerabilities, YESCO uses antivirus software from Sohpos on the
    desktop and at the Web gateway, he said.
    The University of Florida in Gainesville also learned valuable lessons
    from the last round of RPC worms, according to Network Security
    Engineer Jordan Wiens.
    After fighting infections from both Blaster and Welchia that
    originated from a pool of "random users" who connected to the
    university intranet through dial-up and wireless network connections,
    IT staff at the university deployed a range of home-grown technology
    to cut short future infections.
    With links to the University's intrusion detection system (IDS), the
    new tools will automatically disconnect users from the intranet once
    outbound worm attack traffic is spotted, Wiens said.
    Infected users are presented with pop-up messages with links to
    University resources for cleaning infected machines and obtaining the
    appropriate Microsoft patch, he said.
    In the meantime, IT administrators across campus are scanning for
    vulnerable machines and using e-mail notification to get staff and
    students to patch their systems, he said.
    While touting their increased vigilance, system administrators also
    expressed frustration with the frequency of critical software patches
    from Microsoft.
    "I hate to say anything about Microsoft, but with all these
    vulnerabilities, they're keeping us busy patching," Torrance said.
    "It's just ridiculous," YESCO's Anderson said. "It takes up too much
    time. We're kind of understaffed anyway for the number of users we
    support and (patching) is not what we had planned to do today,
    tomorrow or over the weekend."
    The frequent patches have Anderson looking more closely at using the
    Linux operating system on the desktop, he said.
    The prompt reaction is probably the result of network administrators
    getting questioned about Blaster outbreaks and unpatched systems in
    August, according to James Foster, director of research and
    development at security company Foundstone.
    Despite fears about software patches breaking valuable systems,
    companies large and small should be looking into patch management and
    automatic software update features to quickly disseminate fixes,
    especially during the summer, when virus writing activity peaks, he
    "The risk of breaking your systems is still smaller than the risk of
    not patching for a vulnerability such as this," Foster said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Sep 12 2003 - 02:50:59 PDT