Tick... tick... tick...

[doc_strange]

Attacks using the new RPC/DCOM hole are picking up in frequency and volume. So much, one Uni says they will start pulling vulnerable systems from their net. Not COMPROMISED systems... VULNERABLE systems. I.e., "Oh, you didn't patch this week? No worry. We'll just undo your network connection RIGHT HERE [*CRUNCH*]...."

Small wonder, though. There's exploits out in source, one with a menu so you don't even have to think about the target system offset value. Heck, there's a precompiled Windows32 app version of the 'sploit. Point and drool system breakin. It's like a feeding frenzy; h4x0r r10t0Rz l00T1n.

Wonder what I'm talking about? Ok, here's an easy way to tell if your system is open to the vulnerability announced in MS03-026:

Q: Running Windows NT4, 2000, XP, or 2003?
a) No? Not vulnerable.
b) Yes? It's vulnerable...

...unless you patched recently specifically for the hole, or you're running personal firewall software (in which case, your box still has the hole, but is reasonably protected if the FW is set up correctly).

Oh, MS suggested a "workaround" -- turn off DCOM, a "workaround" that breaks Acrobat, Excel, and many other applications. "Gee, Thanks!"

Wonder what I'm talking about?
Run dcomcnfg (Start->Run->dcomcnfg)
Click "no" a couple times.
Looooook at that list of software you might break by turning off DCOM. "Gosh, great suggestion, Microsoft!"

Alternatively, unplug affected system, and bury head in sand. Hum loudly.

Comments

[cheesetruck.livejournal.com]

First of all, Shriekback/Nemesis rules. Unfortunately I don't believe anyone has ever heard that song in C attle. Certainly not on the radio here.

Secondly, I don't have a 'no' on my machine. Is this a bug introduced with some service pack after 2?

Cuz I won't install 3 because it b0rks things. And yes, I have 2 firewalls. One external to the box, and the software one running on the box that alerts me when something wants to connect out. Which I go "um no" to. And some applications b0rk if you do that, so I don't use said applications.

Anyway. So. Like. Where is no?

And I think I'll turn off distributed dcom anyway and see what b0rks because the whole concept of 'distributed computing' on a local network with a bunch of FreeBSD boxen and one NT box - um, yeah, that's like, so not gonna be distributed the Microsoft way.

And if they seriously coded something that requires the machine to contact itself thru distributed dcom for the app to work, I'm not using that app because it's b0rked in my opinion.

I can do this, I know larger companies can't, but I can, I'm unemployed at the moment (:

[cheesetruck.livejournal.com]

aw, gee, it b0rks Craprobat? Gee, what a shame, someone will have to not send me a PDF which I'll delete anyway because PDF SUCKS.

(No I don't use it for printing so it's bloated crapware for me, and I will not install it. If I need the info out of it and I can't get it out, I run pdf2html on it and blammo, I have usable document, much smaller.)

[docstrange.livejournal.com]

Heh. It breaks some Excel functionality, too, apparently. But don't blame MS. Look at all the *NIX stuff that uses loopback access to SunRPC.

Pretty painful. I suppose it helps with portability or ensures long-term employment, or something.

[docstrange.livejournal.com]

Here is a good discussion of the um... problems with shutting off MS DCOM services. So now you can compare that with the problems with leaving them on. Then again, perhaps it's time to warm up the old mainframe.