Organizations scramble to patch Microsoft flaws

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2003/0911scramble.html

By Paul Roberts
IDG News Service
09/11/03

Organizations that use Microsoft's Windows software were scrambling
Thursday to patch vulnerable systems after the company sent word on
Wednesday of three more critical Windows software vulnerabilities.

Marathon patching sessions, anti-virus updates and expressions of
frustration with the Redmond, Wash., software maker were the norm, as
systems administrators rushed to protect themselves from any other
Blaster-style worm that may appear and exploit the new security holes.

The critical holes were found in an interface to a Windows component
called the RPCSS service and affected almost every version of Windows.  
The RPCSS service processes messages using the RPC (Remote Procedure
Call) protocol, which software programs running on different machines
use to communicate, according to Microsoft Security Bulletin MS03-039.

That made the latest bulletin similar to another recent RPC
vulnerability, MS03-026, which was later used by the W32.Blaster and
W32.Welchia worms to infect computers worldwide.

For that reason and others, companies affected by the new
vulnerabilities wasted no time in mobilizing staff to patch their
Windows systems.

IT staff at the Maryland Department of the Environment immediately
began deploying patches to affected servers and user workstations. The
department manages about 1,200 machines in total, with Windows on
almost 100% of the workstations and many of its servers, according to
Hank Torrance, lead networks specialist at the Department.

Unlike their colleagues in the state's Motor Vehicle Administration
who had to contend with a massive Blaster outbreak, staff at the
Department of Environment successfully applied the earlier Microsoft
RPC patch, MS03-026, in July and were spared Blaster's wrath, Torrance
said.

The department is using the same approach with the latest
vulnerabilities: relying on the built-in Windows Update feature to
patch desktops and Novell's ZENworks configuration management tool to
push the patch out to affected Windows servers, he said.

The Blaster worm had a profound effect on the way that technical staff
at Young Electric Sign Co. (YESCO) reacted to Microsoft's
announcement.

The Salt Lake City maker of custom signs and electric displays spent
five days in August digging out from the Welchia (or "Nachi") worm, a
Blaster derivative, which infected around 50 of the company's 650 host
machines and shut down operations in two branch offices, according to
Bret Anderson, network manager at YESCO.

In the past the company's reaction to patches, including the last
major RPC patch, was relaxed, he said.

"You know, Microsoft comes out with patches once a week. So we'd say
'maybe I'll get to it this week, maybe next week,'" Anderson said.

Generally, staff was prompt in patching servers, according to
Anderson.

"But clients? Whatever," he said.

This time around, Anderson summoned the other network administrators
immediately upon learning of the new RPC holes and called for an
all-out effort to get affected systems patched, he said.

"I told them 'I guess we're gonna have a late night. Get patching,'"  
Anderson said.

The company's eight-member IT staff were still busy Thursday
afternoon, but Anderson expects to have all affected server and
desktop machines patched by this weekend, he said.

Anderson also modified YESCO's routers to block RPC and UDP traffic,
just to be sure, he said.

To prevent infection from worms and viruses that might use the new
vulnerabilities, YESCO uses antivirus software from Sohpos on the
desktop and at the Web gateway, he said.

The University of Florida in Gainesville also learned valuable lessons
from the last round of RPC worms, according to Network Security
Engineer Jordan Wiens.

After fighting infections from both Blaster and Welchia that
originated from a pool of "random users" who connected to the
university intranet through dial-up and wireless network connections,
IT staff at the university deployed a range of home-grown technology
to cut short future infections.

With links to the University's intrusion detection system (IDS), the
new tools will automatically disconnect users from the intranet once
outbound worm attack traffic is spotted, Wiens said.

Infected users are presented with pop-up messages with links to
University resources for cleaning infected machines and obtaining the
appropriate Microsoft patch, he said.

In the meantime, IT administrators across campus are scanning for
vulnerable machines and using e-mail notification to get staff and
students to patch their systems, he said.

While touting their increased vigilance, system administrators also
expressed frustration with the frequency of critical software patches
from Microsoft.

"I hate to say anything about Microsoft, but with all these
vulnerabilities, they're keeping us busy patching," Torrance said.

"It's just ridiculous," YESCO's Anderson said. "It takes up too much
time. We're kind of understaffed anyway for the number of users we
support and (patching) is not what we had planned to do today,
tomorrow or over the weekend."

The frequent patches have Anderson looking more closely at using the
Linux operating system on the desktop, he said.

The prompt reaction is probably the result of network administrators
getting questioned about Blaster outbreaks and unpatched systems in
August, according to James Foster, director of research and
development at security company Foundstone.

Despite fears about software patches breaking valuable systems,
companies large and small should be looking into patch management and
automatic software update features to quickly disseminate fixes,
especially during the summer, when virus writing activity peaks, he
said.

"The risk of breaking your systems is still smaller than the risk of
not patching for a vulnerability such as this," Foster said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.