Patching RPC flaw a breeze compared to SQL patch

A Windows patch repairing a critical flaw in Remote Procedure Call installs easily, experts said.

Some observers have compared the critical Windows RPC-DCOM vulnerability to the SQL Server flaw that empowered the Slammer worm in January. There are similarities but there is a noticeable difference: patching the RPC flaw is much easier.

The patch for the RPC-DCOM, available since July 16, isn't particularly difficult to install, experts said. It's not nearly as hard as installing a Service Pack. "We have had no reports of blue screens or other problems," said Dan Ingevaldson, engineering director for Internet Security Systems Inc.'s X-Force security monitoring operation.

"It's a pretty easy patch to install," Ingevaldson continued. "But that is an engineer talking. I am not sure how my mother or grandmother would find installing it."

Luckily for the Mothers Ingevaldson, Windows XP's automatic update feature can handle that task, which could help minimize the vulnerability of many home users.

SQL Server users didn't have such an easy option but they did have six months to patch before Slammer struck. The issue was the SQL Server patch was difficult to install, especially for remote machines as files had to be copied and pasted, system administrators said at the time.

Also, Slammer was so successful (it took only 10 minutes for it to spread to 90% of vulnerable systems) because many companies unknowingly had UDP port 1434 open to the external world. The worm could shoot out copies of itself to those ports thus infecting more systems.

Users can learn a lesson from Slammer. Blocking certain ports would prevent exploitation of the RPC-DCOM vulnerability, either manually or by a worm. The Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh recommends blocking external access to the following ports: TCP 135, UDP 135, TCP 139, UDP 139, TCP 445 and UDP 445.

Generally, companies shouldn't experience many problems with blocking those ports at the perimeter. But companies could also face a threat if they are left open internally, which some companies need. A telecommuter who uses a VPN connection to access the main network could be the weakest link in the security chain as affected ports would be open, Ingevaldson said. Often remote employees don't have the same level of security protections so they are more likely to become infected by a worm.

Organizations that take a more proactive approach to security won't need to fear being hurt by the vulnerability, said Gary Morse, president of Razorpoint Security Technologies, which conducts penetration tests for companies. Hardening operating systems and using intelligent firewalls that can analyze traffic at a deeper level would help, he said.

Issues such as the RPC vulnerability highlight a flaw in the way many companies think about security. "The mindset is to block a port because it's bad," said Tim Mullen, chief information officer and chief software architect for AnchorIS.com, a developer of accounting software. "You should only open the ports you need and block everything else."

FOR MORE INFORMATION:

Microsoft security bulletin MS03-026

Featured Topic: Critical Windows flaw

SearchSecurity.com news exclusive: "CERT warns RPC being exploited in wild"

SearchSecurity.com news exclusive: "Windows RPC vulnerability high on list of flaws to watch"

SearchSecurity.com news exclusive: "Windows RPC exploit code published"

SearchSecurity.com news exclusive: "Microsoft patches critical RPC vulnerability in Windows"

SearchSecurity.com news exclusive: "Windows flaw ripe for worm, expert says"

FEEDBACK: Do you think a worm exploiting the RPC vulnerability is inevitable, and have you dropped everything and patched the flaw?
Send your feedback to the SearchSecurity.com news team.

Dig deeper on Security patch management and Windows Patch Tuesday news

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close