enigmatech wrote > I can confirm this. I discovered the worm when it attempted (and failed) > to infect my machine (Win XP pro) this afternoon. Immediately after > securing the firewall setting that left me vulnerable to the port 135 > attack I checked windowsupdate.microsoft.com and confirmed that I had in > fact installed the patch a few weeks earlier. While security software on > my system prevented the overflow payload from using tftp the payload > managed to terminate the RPC svchost process twice forcing a system > halt. This is similar to the effects of the WinNuke exploitation of a > similar overflow bug in RPC earlier in the year. It sounds like your system may be vulnerable to other RPC exploits besides Blaster, and like it might be worthwhile reapplying the patch. Windows Update definitely is not a good indicator of whether the patch is installed. Neither is add/remove programs. Windows Update and UpdateExpert don't verify the files that are on the system because they are optimized for speed rather than accuracy. They merely check a registry entry that gets added by the patch. So they can't tell you if your system is patched, but they can give an indication that the patch installation routine was run at some time or another. Add/remove programs tells you that the patch was installed but does not tell you if the patch's files were overwritten by some other installation or update. One specific case in Win2K that causes the machine to appear patched when it is not: Install Win2K SP4, don't reboot, then install the RPC patch and reboot. XP probably has some similar combinations that result in failure even though your system reports success. Microsoft's MBSA or Shavlik's HFNetChk should give a good answer about whether the correct files are installed, and eEye's free Retina RPC scanner can tell you from an external perspective whether or not your system is vulnerable. It is probably best to use multiple tools to verify the system's status. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 22:52:55 PDT