From: Igor Ruderman (igor_at_ssl.berkeley.edu)
Date: Tue Aug 05 2003 - 15:12:20 PDT
Hi All,
I'd like to voice my support for Craig and all those who are
opposed to blocking these ports. As Craig said this will not fix the
problem. Neither will it fix future similar problems with the same ports
(or any other for that matter). Here's a snippet from an e-mail I got
from one of the mailing lists:
............
You've really been out of the loop if you haven't heard of this jewel.
This critical security fix applies to Windows NT 4.0, Windows NT 4.0
Terminal Services Edition, Windows 2000, Windows XP and Windows Server
2003. Good news is that if you're running Windows ME you don't have to
worry about it.
What's the big deal? This security flaw leverages a weakness in the
Windows DCOM interface with RPC. DCOM and RPC might be considered the
"heart of Windows" and this security issue strikes at the heart of
Windows. Microsoft tries to buoy our flagging confidence by saying that
TCP ports 135, 139 or 445 have to be open for inbound access to launch a
successfully attack. Nobody in his right mind would have those ports
opened on a machine directly connected to the Internet so in fact the
threat is more apparent than real. Right?
Wrong. Even if your firewall is properly set up, you can expect a worm
to arrive in the not so distant future that will introduce an exploit
against this weakness into your corporate network. Once the exploit gets
through the firewall via an email message, HTTP download, KaAzA
downloaded warez application, etc., it will attack the RPC weakness on
your internal network.
FACT: Danger! Danger! Will Robinson. This is not a drill. You must,
without a doubt, immediately install this security patch...........
So, what we are seeing now coming through these ports is but a ripple
before a long term storm. We are going to see lots and lots of viruses
after this. What we will need then is having our machines patched and
having the latest virus protection. As tough and painful as is maybe we
need to have our machines patched and blocking at the border is but a
temporary relief for all of us to get those machines patched.
--Igor
------------------------------------------------
Igor Ruderman
Programmer Analyst
MCSE, MCP+I
Center for Science Education
Space Sciences Laboratory
igor_at_ssl.berkeley.edu
http://cse.ssl.berkeley.edu <http://cse.ssl.berkeley.edu/>
http://sunearth.ssl.berkeley.edu <http://sunearth.ssl.berkeley.edu/>
------------------------------------------------
-- ASCII stupid question, get a stupid ANSI --
------------------------------------------------
-----Original Message-----
From: Craig Lant [mailto:craig_at_ack.berkeley.edu]
Sent: Friday, August 01, 2003 10:38 PM
To: micronet-list_at_uclink.berkeley.edu; ucb-security_at_uclink.berkeley.edu
Subject: [Security] Update on blocking Windows ports
So, lots of people have expressed support for blocking some Windows
ports (some may have been a little overzealous in expressing their
opinions) and some (not so loudly) are opposed to it. I'm still opposed
to it. But, many of those who complained loudly last time we did this
are now in favor of it and many of the members of the Campus Information
Security Committee (CISC) are also in favor of it. Sooo, We'll be
putting a temporary block in place on Tuesday morning. The maximum time
frame on this is four days.
This is NOT intended to be a "fix" for this problem and, of course it
won't fix the problem. It is merely intended to give sysadmins a little
extra breathing room which they've asked for. We won't be permanently
blocking these ports until we have a tested, supportable, effective
alternative service such as the one CNS is working on.
I know some folks wanted to see the block in place this weekend. But,
DOSing so many of our users on a Friday afternoon without significant
notice is just too irresponsible. It's also rather abusive to support
staff who would have had to handle all the trouble calls over the
weekend. Of course, if things get really bad over the weekend, we can
put the block in sooner.
We've used "CalMail" to blast a note to ALL faculty, staff, and (I
think) students about the planed block and encouraging everyone to make
sure their computers get patched. The backlash has already begun with
several significant user communities complaining about having to pay for
others inability to keep their systems patched. I can't say that I'm
not sympathetic to those arguments. My hope is that very few systems
will be left still vulnerable Monday night perhaps eliminating the need
for the block. But, we'll see what happens.
FYI, the announcement can be read at:
http://security.berkeley.edu/RPC.block.announce.html
Thanks,
Craig
-------------------------------------
Sent via the ucb-security mailing list.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Tue Aug 05 2003 - 15:21:11 PDT