|
-
September 10th, 2003, 07:48 PM
#1
Ms03-39
Only one security announcement from MS today...
MS03-39- basically an updated patch for the RPC buffer overflow issues.
Title: Buffer Overrun In RPCSS Service Could Allow Code Execution
(824146)
Date: September 10, 2003
Software: Microsoft Windows NT Workstation 4.0; Microsoft Windows NT
Server(r) 4.0; Microsoft Windows NT Server 4.0, Terminal Server Edition;
Microsoft Windows 2000; Microsoft Windows XP; Microsoft Windows Server
2003
Impact: Run code of attacker's choice
Maximum Severity Rating: Critical
Bulletin: MS03-039
The Microsoft Security Response Center has released Microsoft Security
Bulletin MS03-039
What Is It?
The Microsoft Security Response Center has released Microsoft Security
Bulletin MS03-039 which concerns a vulnerability in the versions of
Microsoft Windows listed above.
Microsoft has released a tool that can be used to scan a network for the
presence of systems which have not had the MS03-039 patch installed.
More details on this tool are available in Microsoft Knowledge Base
article 827363. This tool supersedes the one provided in Microsoft
Knowledge Base article 826369 which was developed to scan systems for
the vulnerability patched by MS03-026.
More information is now available at
http://www.microsoft.com/technet/sec...n/MS03-039.asp
In an effort to better communicate with our customers, Microsoft will
also be conducting a Webcast to provide guidance on Protecting Your PC
and details of MS03-039.
http://www.microsoft.com/usa/webcasts/upcoming/2373.asp
If you have any questions regarding this alert please contact your
Technical Account Manager.
-
September 10th, 2003, 07:59 PM
#2
Good ta know, thanks.
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
September 10th, 2003, 09:27 PM
#3
At this moment, several underground groups are racing to get a worm out into the wild. For all of you who just went through the blaster worm remediation process, get ready for part II. I'd advise all of your admins to get patching ASAP.
As for me, it will be a late night as I have to coordinate the distribution and certify yet another MS patch.
Dammit!
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
September 10th, 2003, 09:55 PM
#4
Also, as posted on NTBugtraq. If you apply the MS03-039 patch and run the scanner for MS03-026 the scanner will say that you have not applyed the MS03-026 patch.
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
-
September 10th, 2003, 10:22 PM
#5
Here we go again.. say hello to all those PCs you visited just the other week.
It'd be nice if we'd been able to finish up from the RPC hole. And if we weren't constantly patching these MS products, maybe we'd be able to look at the automated deployment we need so much!
-
September 10th, 2003, 11:15 PM
#6
Member
New scan tool
CXGJarrod, you posted:
Also, as posted on NTBugtraq. If you apply the MS03-039 patch and run the scanner for MS03-026 the scanner will say that you have not applyed the MS03-026 patch.
The Technet article on this one says that this situation is true, that scanners that scan for MS03-026 will not detect it being patched if you have this new patch only applied. Microsoft has a new scanner out that will detect both patches.
Here is what Microsoft has to say on this:
Microsoft has released a tool that can be used to scan a network for the presence of systems which have not had the MS03-039 patch installed. More details on this tool are available in Microsoft Knowledge Base article 827363. This tool supersedes the one provided in Microsoft Knowledge Base article 826369. If the tool provided in Microsoft Knowledge Base Article 826369 is used against a system which has installed the security patch provided with this bulletin, the superseded tool will incorrectly report that the system is missing the patch provided in MS03-026. Microsoft encourages customers to run the latest version of the tool available in Microsoft Knowledge Base article 827363 to determine if their systems are patched.
Basically, I am just gonna sit in a corner and cry for a while. I personally patched 120 machines for this previously, and now I get to do it again!
-
September 11th, 2003, 02:49 PM
#7
Senior Member
Guys, Just wanted to know two things.
If any of you guys would like to share a testing process for patches (other than the one MS reccomends)
If anyone out there knows of any repercussions by this patch, PLEASE POST FOR THE SAKE OF OTHERS.................
Thanks,
There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.
-
September 11th, 2003, 03:17 PM
#8
Junior Member
No test like production 
Seriously....we have over 5000 units, probaby 3k with XP. And while we're pretty good to go at the firewall, we got hit bad over the head by laptop users plugging into our network.
Our desktop/helpdesk [under]staff[ed] just could not react quick enough. We're still recovering from the 1st round.....
We don't test....we DO. And hope for the best.
-
September 11th, 2003, 04:29 PM
#9
Senior Member
Sometimes it is best to throw a patch out into the production world if you know that others have successfully installed the patch or if you see other companies getting hit with the vulnerability. Microsoft reccomends that you test a patch in a test environment for at least two weeks before implementing into a production environment. I don' remeber where that article is, but i'm sure that it is easy to find. Here is a link that compares Hotfixes to Service packs if anyone is interested.
http://www.microsoft.com/technet/tre...s/srvpatch.asp
Thanks for the input.
There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.
-
September 11th, 2003, 04:53 PM
#10
Yeah, I know you are supposed to test patches and updates. Normally, we do. However, in my environment (this is a horror story for another time), we just don't have the luxury of time and resources to run a two week test on a critical update while the production servers are hanging out with their collective fly open. We almost got caught on a zero-day once before and we can't afford to risk it again.
We run a pretty vanilla shop with standard server and desktop hardware. So there are a minimal number of possible incompatible applications or systems that may be affected by the application of a critical patch or update. Our stance on vendor apps is that if a critical patch is applied and the app fails, it is placed off-line until the vendor fixes it. Security first.
Roll-ups, SRs and such are checked out as best we can prior to putting into production. We also don't try to do too many things at once, especially on the servers. Again, time and resources play into these decisions, but the overriding criteria is security.
We actually ran this RPCSS patch last night on all the servers. Everything seems to be fully functional and running smoothly this AM. The main thing, I think, is to keep the whole current. Not current in just the security patches, but the firmware, BIOS, the drivers, OS updates, all that.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
