-
Fraggin- I haven't seen anything negative come out of this patch yet. Spent all of last night patching a whole crap load of systems without a single problem.
As for verifying patch installation. I would not rely on the MS tools. Most of the time they are just looking to see if the installer program put the proper reg keys in place. What I like to do is open up the fix and get the date/version of all of the files included in the fix.
I then write a simple batch file that will go out to all of the servers that I upgraded and verify that the date/version of the hotfix files on the server match what is new from the hotfix.
That is about the only way to 100% verify that a hotfix has been installed. I have seen instances where for whatever strange reason 1 file would not be upgraded, so we implemented this process for all hotfix installs.
-
Also patching
I started patching some "non-critical" machines last night. I checked their Event Viewer logs after the reboot, and there was nothing abnormal. Full functionality was available. I ran this on an IIS web server, a file and print server, and a few workstations.
Today, I am patching machines at a DR site for my company. I've patched a SQL 2k server, more file and print machines, and several machines running Lotus Domino. No problems here either.
So for me at least, the patch looks ok.
-
MS is sending this newsletter out to anybody that subscribes to any of their lists.
Dear IT Professional,
We are contacting you today to make you aware that we have released Microsoft Security Bulletin MS03-039 today, September 10, 2003. This bulletin details three critical vulnerabilities in the Windows operating system and provides instructions for applying the corresponding patch. While there is currently no active exploit of this vulnerability, if successfully exploited, these vulnerabilities would allow an attacker to gain control of the target system.
We strongly encourage you to obtain and deploy this patch to any affected system that connects to your infrastructure; this includes systems on your local area network and remote or mobile systems. For the most current information on affected systems and recommended remediation steps, please read the bulletin posted at: http://www.microsoft.com/technet/sec...n/ms03-039.asp
We understand the potential effect this situation and the recommended remediation steps may have on you. Microsoft is committed to providing you with information and tools to help run your enterprise safely and reliably on an on-going basis. When we become aware of vulnerabilities, it is our goal to quickly share protection and remediation information and work in partnership with you to eliminate these kinds of threats to your business. In order to help protect your computing environment from security vulnerabilities, we strongly encourage you to visit http://www.microsoft.com/technet/security/protect and implement the following three steps in your enterprise:
1. Verify firewall configuration. Audit Internet and intranet firewalls to ensure they comply with your security policy; these are your first line of defense. In addition, evaluate using host-level firewalls such as the Internet Connection Firewall in Windows XP. This is especially important for systems such as laptops and home PCs that connect to your network remotely.
2. Stay up to date. Use update services from Microsoft to keep your systems up to date. These services include three main components.
. Automatic Updates, available on Windows XP, Windows 2000 SP3 and SP4, and Windows Server 2003. Automatic Updates works with the Windows Update Web site to automate the process of updating Windows systems.
. Software Update Services (SUS), a patch-distribution server available for download from our Web site. SUS enables you deploy a server in your enterprise that Automatic Updates clients will use to get only approved and tested patches.
. Systems Management Server (SMS) is a flexible, enterprise-wide software update and systems management product.
In addition to using these update services, we strongly recommend that you subscribe to Microsoft's free security notification service at http://www.microsoft.com/securitynotification, so that you are proactively kept aware of new security issues.
3. Use and keep antivirus software up-to-date. Antivirus software programs will help protect your systems against viruses and other malicious code. To protect your systems from new viruses, it's also important to obtain up-to-date antivirus signatures through a subscription service from the antivirus software vendor. You should not let remote users or laptops connect to your network unless they have up-to-date antivirus software installed. In addition, consider using antivirus software in multiple points of your computer infrastructure, such as on edge Web proxy systems, as well as on email servers and gateways.
You should also protect your network by requiring employees to take the same three steps with home and laptop PCs they use to remotely connect to your enterprise, and by encouraging them to talk with friends and family to do the same with their PCs. To make this easier, we have set up a new Web site to assist PC users at http://www.microsoft.com/protect.
Again, we want to encourage you to read this security bulletin and deploy the patch to your systems. We want to thank you for your patience and work with you to protect your business from these kinds of security threats.
Thank you,
Microsoft Corporation
For information about Microsoft's privacy policies, please go to http://www.microsoft.com/info/privacy.htm
-
Microsoft put out this security alert on 10th Sept, but according to the following URL, the vulnerability was already disclosed by a Chinese Security group in July... interesting.. isn't it?
http://xforce.iss.net/xforce/alerts/id/152
And the article reports that an exploit is already out... (Anyone got hit yet??)
-Scim
-
The 'sploit that the x-force group is referring to is the DoS portion of MS03-039. Yes, that has been known since 6/21 to be in the wild. It cannot easily be turned into a worm, but it could be used as a payload for a worm.
the exploits that we're waiting for, although we dont want, are the exploits for the 2 BoF's in MS03-039. They have yet to be found in the wild.
Exibar
-
Our plan for this patch is really the same as the last patch..
[list=1][*]Start with patching the office-based client PCs. These are simple low-risk systems and shouldn't cause much trouble, aim to cover them in a couple of days.[*]Then recall all remote laptops (assuming you can't patch remotely) immediately giving a two week window for the equipment to come in.[*]If you have remote sites with no IT support, prioritise them by most business critical location first. Patch all PCs and servers at remote sites in one go.[*]Patch centrally located servers running standard software.[*]Finally, look to servers running esoteric or obscure services. You'll probably want to patch these last, because that will give you a greater opportunity to back out and fix any problems with the vendor (i.e. you might not want to be the first to try patching your platform and losing a business critical system).[/list=1]
That's only a rough order. Basically, you need to patch everything you can lay your hands on as the opportunity arise.
OK.. that's what to do if everything goes according to plan, but if you're a large organisation with sparse resources it's likely that you won't get 100% done by the time the worm hits, so plan for this too.
- In the event of a worm being released, bring the server patching forward and do it as soon as possible for all systems.
- Ensure that you have a packet sniffer running on your local network, in conjunction with information gleaned from your favorite security resources to find if you have been infected. Use a port scanner where appropriate. Ensure that anti-virus patches are loaded immediately.
- If the worm enters your network, or you deem that this is likely you will need to have the business agree that you can take emergency action (get the agreement in advance). This will mean that unpatched equipment should be disconnected from the network, so bar any unpatched laptops from dialling in and consider blocking traffic to and from remote unpatched sites until the threat subsides or a patch can be applied.
There are further steps you can take to mitigate the risk.
- Warn all users to ensure that no equipment is used outside the corporate firewall and then brought in. This is the most common way for a worm to get past the firewall.. somebody simply walks past it with an infected laptop. It might be worth getting agreement from the business so that harsh disciplinary action will be taken against violators. I would suggest that anybody who infects the coporate network despite being warned should be fired.
- Make sure all desktop PCs are switched off when not in use. This is a simple way of limiting the spread of an infection and could well enable you to contain a problem before it gets serious.
- Keep a constant eye on news sources (the Internet Storm Center is probably the best, but also AntiOnline, Slashdot etc) so that you know what's going on. Check when you get up in the morning. Check every hour or so at work. Check when you get home. Check when you go to bed. When the worm hits, get as much information as you can and then implement your agreed contigency plan if it seems necessary.
OK, that's a lot of stuff. If you weren't doing something similar for the RPC-1 hole then now is the time to look at this level of planning for the RPC-2 hole.
I personally think the the RPC-2 exploit is going to be nastier, faster spreading and generally more difficult to control than MSBlast and Nachi. And also I reckon that there's a window of about three weeks absolute max to get this done.
Enjoy patching!
