April 15th, 2004, 08:33 AM
Microsoft Vuln LSASS,DCOM,RPCSS..
Got an email the other day, should have posted earlier but ive been a little busy
eEye Digital Security Uncovers Dangerous Vulnerabilities in Microsoft Windows
Six new vulnerabilities related to Microsoft Windows were announced today. The discoveries include critical flaws in Windows Remote Procedure Call (RPC), Local Security Authority Subsystem Service (LSASS), and in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats. Of the six newly discovered, four are extremely critical since they allow for the remote execution of code on unpatched machines.
Affected systems include all current versions of Microsoft Windows and Windows Server 2003.
These vulnerabilities could potentially allow an attacker to take complete control of an affected system. An attacker could then take any action on the affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. eEye and Microsoft have released detailed advisories to alert Windows users of the need to immediately secure vulnerable machines on their networks.
RPC Runtime Library Vulnerability - Remote code execution (w2k,xp,2003)
LSASS Vulnerability - Remote code execution (w2k,xp,2003)
Metafile Vulnerability - Remote code execution (w2k,xp,nt 4)
Local Descriptor Table Vulnerability - Privilege Elevation (w2k,nt 4)
Virtual DOS Machine Vulnerability - Privilege Elevation (w2k,nt 4)
RPCSS Service Vulnerability - DOS (w2k,xp,2003)
*The above assessment is based on the types of systems that are affected by the vulnerability, typical deployment patterns, and the effect that exploiting the vulnerability would have on them.(source: Microsoft)
Protecting Against These Vulnerabilities
The most effective way to protect vulnerable systems is to apply the hotfixes released by Microsoft. The hotfixes will remediate these vulnerabilities, and can be found here:
Retina Network Security Scanner
Retina has been updated to check for all of the above vulnerabilities. These checks are included in Retina versions 4.9.194 and higher. Retina is the only scanner that is 100% non-intrusive and can scan remotely without administrative access. For a comprehensive list of Retina audits click here:
Additional Information: eEye Security Bulletins
Microsoft DCOM RPC Memory Leak
Microsoft DCOM RPC Race Condition
Windows Local Security Authority Service Remote Buffer Overflow
Windows Expand-Down Data Segment Local Privilege Escalation
Windows VDM TIB Local Privilege Escalation
Windows Metafile Heap Overflow
Or if you feel like some more reading heres the press release
Signature image is too tall!
April 15th, 2004, 02:51 PM
Theres already a PoC for MS04-011 in circulation. It's patch time once again! Too bad X-mas doesnt come this often.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
April 15th, 2004, 06:29 PM
It does for me... Every time a new MS vulnerability is discovered, it rains penguins. It's a wonderful feeling knowing that I don't have to wait for MS to have a secure system.
Real security doesn't come with an installer.
April 15th, 2004, 07:39 PM
Wait for MS? Hardly, just put in a firewall and all of these problems go away.
April 15th, 2004, 08:28 PM
Yikes... I stayed out of the firewall thread as it just turned into a pee-pee match.. But.. Installing a firewall hardly makes all of these issues go away. It is far to often that people think a firewall is a fix-all solution and it's not. A firewall will in no way help a network that is attacked from the inside. I can't find the article right now, but I remember reading some statistics that talked about most large corporations are infected by laptops, floppy disks, web based email, and VPN connections as opposed to across the internet.
I think a standard firewall will fix it answer to ms04-011, specifically, is not the right answer. There are several bugs fixes in this bulletin that are related to how a webpage interacts with a browser. In most cases if the user has been foolish enough to be tricked into viewing a malicious site the vast majority of home level NAT firewall products are not going to eliminate this type of threat. I'm not going to get into the semantics of this type of firewall product vs. that. Just be aware that the term "firewall" as it is used in the commercial market covers a whole wide range of products, very few of which do what a firewall should as described by programs such as CISSP.
For the standard user who may not have a high level of sophistication when it comes to avoiding "bad" situations, patching their system is really the best answer.
On a side note... I've seen several alert notifications today from the security organization inside my company about the proof-of-concept that is out that exploits one of these bulletins. As well as some speculation that the RPC-DCOM issues are close enough to the issues from last year. The exploit code that was used in blaster can be modified to exploit these new RPC/DCOM errors. Bottom line was a suspected net attack coming about because of these exploits in the next few days. At least with the last couple of go arounds with blaster, slammer, and code red we had a month or two to get systems patches. If a mass propagating worm using one of these recently announced patches were to come out in the next few days, we could have a serious problem on our hands as most people are still trying to get all of their machines patched. If they know to patch them at all.
April 15th, 2004, 08:34 PM
Heh, I knew I should have done the famous < /sarcasim> bit on my above post.