In the aftermath of Blaster

In the aftermath of Blaster

By Brian Livingston

The serious security hole in Windows that I warned you about in the July 24 and August 7 issues of Brian’s Buzz exploded onto the front pages of newspapers around the world on August 13. Hundreds of thousands of PCs – afflicted with a vulnerability in the Remote Procedure Call (RPC) of Windows – were infected by a worm that’s been called Blaster, MSBlast, and Lovsan. Variants of that worm have been spreading since then, and the problem won’t totally go away any time soon.

Tons of articles have been written about the Blaster worm, so I won’t repeat that here. Instead, this issue of Brian’s Buzz contains an overview of this and other problems you need to be aware of. I’ve also prepared a Special Report on steps you should take to head off even more severe problems in the future.

• Microsoft gets a nightmare of publicity. The Blaster disaster, for whatever reason, generated enormous mainstream media coverage – of the kind that no corporation wants to be the subject of. Perhaps it was because the worm rebooted some PCs with only 60 seconds warning, creating a highly visible calamity. Or perhaps it was because the U.S. Dept. of Homeland Security itself had issued a rare announcement about this particular Windows weakness only days before the attack. In any case, Microsoft is now in the public eye for its security shortcomings more than ever.
• Windows Update remains up. The creator of the Blaster worm designed it to flood Microsoft’s Windows Update site with packets from PCs infected with the rogue program. Intended presumably as a “lesson” to Microsoft, the attack began on August 16 and was scheduled to continue unabated until December 31, 2003. It would then resume for the last two weeks of each month until June 2004.

  The programmer of Blaster, however, erred by directing the attack at the domain name windowsupdate.com. This name always redirected to the true name, windowsupdate.microsoft.com. Microsoft averted Blaster’s attack by simply disabling the shorter name. The service itself remains operational, although it was slowed by the many Windows users who suddenly wanted to download patches.

• Microsoft’s mistakes spawned more criticism. Aside from the overall topic of Windows security holes, some more recent Microsoft blunders worsened the crisis. After its original MS03-026 bulletin about the weakness in Windows was sent out, Microsoft hired an e-mail marketing firm called Digital Impact to send additional, official-looking warnings. But these e-mail messages weren’t digitally signed, in violation of Microsoft’s repeated pronouncements that users should consider such unsigned messages to be hoaxes.

  To add insult to injury, numerous reports surfaced that Windows Update was reporting that users had successfully installed the MS03-026 patch when it had, in fact, failed. In these cases, the site tests only whether the patch has been run once, not whether it’s actually installed and working. Machines that ran out of memory or failed to install the patch for other reasons would not be detected by Windows Update as still being vulnerable. (My thanks to reader Michael R. for his help with this topic.)

• Windows 2000 upgrades to SP4 undo the MS03-026 patch. Take Windows 2000 machines with Service Pack 3, patch them with MS03-026, and then upgrade them to Service Pack 4. They become vulnerable to Blaster again. If you don’t need the features of SP4, either hold off on installing it, or do install it and then manually disable the Windows DCOM service. (That last step will break applications that use DCOM.) A more complete description of this approach can be found in the Mitigations section of TruSecure article 03-009.

  [ • IMPORTANT UPDATE • After the paragraph above was published, TruSecure sent me a correction, as follows: “TruSecure Corporation originally believed that Windows 2000 machines which were at SP3, then patched with MS03-026, and then upgraded to SP4, would become vulnerable… Subsequent testing proved this not to be the case. Systems patched in this method will retain the MS03-026 patch after applying SP4 and do not need to re-apply the patch.” I’ll have more on the reversal of TruSecure’s alert in the next issue of Brian’s Buzz.]

• An unrelated virus muddies the waters. Although it had nothing to do with the RPC hole in Windows, a fast-spreading e-mail virus named Sobig.F created headaches starting on August 19. This is now considered the most rampant virus ever created. MessageLabs.com, an enterprise security service, states that Sobig.F in its first week was being carried by 1 out of every 17 e-mail messages. That far surpasses the previous record of 1 in 138 messages that carried the Klez.H virus.

I’m compiling readers’ experiences about Blaster and other Windows problems. To send me more information about the RPC hole, or to send me a tip on any other subject, please visit WindowsSecrets.com/contact.

Stopping Blaster and future attacks

Because of the enormous interest in this subject, I’ve put together a mini-guide to steps you can take to stop worms like Blaster and gain an adequate defense against evolving variants.

• Get MS03-026. Hopefully, there’s no one left who hasn’t installed Microsoft’s patch for the extremely dangerous RPC vulnerability. There are no negative side-effects to the patch that are significant enough to consider not applying it to vulnerable machines. If you haven’t done so yet, go to Microsoft’s site and follow the instructions in bulletin MS03-026.

• Stop the bleeding. If you have machines that have been infected by Blaster or some other variant, you need to disconnect those machines from your network immediately to prevent them from spreading the worm farther than they already have. You can then turn to cleaning up each machine and removing all traces of infection.

  All major anti-virus vendors have updated their virus definitions to catch Blaster and variations of it. Updating your definition files and re-scanning your machines is definitely needed. But you may also want to acquire individual removal tools that each vendor has developed specifically to identify and kill the rogue program.

  Each anti-virus company uses its own nomenclature to refer to the RPC security hole and the Blaster worm. Follow the procedures of the vendor you prefer or whose service you subscribe to. The biggest vendors and their links to their own analyses and utilities are:

    • Symantec: W32.Blaster.Worm.
    • Kaspersky Labs: Worm.Win32.Lovsan.
    • McAfee: W32/Lovsan.worm Analysis, Downloads.
    • Computer Associates: Win32.Poza.
    • F-Secure: Lovsan.

• Blast Blaster. If an infected machine is rebooting 60 seconds after connecting to the Internet or at random, you need to halt the rebooting before you can take any other steps, such as installing patches. Windows XP machines in particular tend to display a graphical timer that shows the number of seconds ’til reboot (without allowing the user to halt the countdown).

  If this is the case, you can quickly short-circuit the reboot countdown from the keyboard. Simply click the Start button and then click Run. In the dialog box that appears, type shutdown -a and press Enter.

  You can then terminate the msblast.exe process using the Windows Task Manager before taking permanent cleanup action. The best explanation of this that I’ve seen, along with several additional steps to help you clean out infected machines, is provided by PC Magazine’s Neil Rubenking in an August 12 article (revised August 14).

• Do NOT disable Remote Procedure Calls permanently. Bad information has circulated on the Internet saying that disabling RPC entirely is a way to avoid being affected by worms. This advice is terrible because RPC is an essential Windows component. Disabling RPC prevents the installation of patches and can make Windows 2000 unbootable, among other things. A better method than disabling RPC to prevent uncontrolled reboots of Blaster-infected machines is to run shutdown -a as described in the previous point.

  If you have, in fact, disabled RPC and your machine is hosed, you can try rebooting Windows into Safe Mode (hold down F8 after the memory self-test, then select Safe Mode from the text menu that appears). Then run a small .reg file to restore the Registry’s original RPC configuration. This change has been documented by a power gamer known as Black Viper, a usually reliable source, and is available at his site.

• Get serious about firewalls. If you’re using Windows and not using a firewall, now is the time to start. This subject is beyond the scope of this week’s newsletter, but will be covered in future issues.

That’s a bare-bones roundup of the current knowledge on defending against Blaster and its coming clones. But wait – once you’ve taken those steps, Microsoft has an all new series of serious security weaknesses that you must act on, too. Those holes are treated in the following section.

Here we go again: 'Critical' flaw affects all IE 5 and 6 users

With computer professionals still reeling from last week’s worm and virus attacks, Microsoft just yesterday released warnings that there are “critical” flaws in Internet Explorer 5 and 6 and “important” flaws in every recent version of Windows.

The IE issues are addressed by Microsoft security bulletin MS03-032, while the other issues are addressed by MS03-033. My analysis of these problems and the patches Microsoft has issued is given below.

• MS03-032: Internet Explorer 5 and 6 leave you open to Trojans
  The danger level of this new problem is described by Microsoft as “critical” for most users of IE 5 and 6, but only “moderate” for users of IE 5 and 6 on Windows Server 2003. I recommend, however, that everyone install the patch provided by Microsoft, even on Windows Server 2003. Let me elaborate.

  A mere e-mail message can infect you. The flaw in IE 5 and 6 can be exploited by a malicious person merely by sending you an e-mail that you open or preview in Microsoft Outlook, Outlook Express, or any other package that uses IE to display mail. Since e-mail viruses are spreading even more quickly these days than ever before, this is a gigantic problem. The flaw can also be exploited if a user of a vulnerable machine visits a malicious Web site, but this method of infection would not spread as quickly. Microsoft doesn’t say so, but the new problem appears to me to affect all recent versions of Outlook and Outlook Express, regardless of any previous security patches.

  This is an ideal transmission method for zombie programs. This flaw allows a malicious person to run his or her own programs on the compromised machine. As a result, this weakness will soon be taken advantage of by those who want to install Trojan horses, zombies, and similar code on millions of personal computers to send spam, launch denial-of-service attacks, and so forth.

  Windows Server 2003 is vulnerable because its “enhanced” security configuration can be turned off, leaving it open to this attack. It’s very likely that this configuration would be turned off, for example, to run Terminal Server and allow users to run IE to access it freely.

  Installing the MS03-032 patch disables some HTML Help unless you’ve also installed the Microsoft HTML Help update described in Knowledge Base article 811630. The Help issue, however, isn’t a good reason to delay either patch. In my opinion, you should immediately install both.

  The patch is a cumulative update for IE. This includes all of the previously released patches for IE 5 and 6. To proceed, you should immediately read bulletin MS03-032.

• MS03-033: All versions of Windows need Data Access patch
  This flaw affects Windows Me, 2000, and XP. It also affects Windows 9x systems if they’ve ever installed Microsoft Data Access Components (MDAC) 2.5, 2.6, or 2.7. The latter situation is very common because MDAC is installed by Microsoft Access, SQL Server, some XML files, and many other things. The version of MDAC in Windows Server 2003 (MDAC 2.8) is not vulnerable.

  Exploiting this weakness would require network access. MS03-033 is a less serious hole than MS03-032 because the attacker would need to be on the same subnet as the user of a vulnerable machine. In my opinion, you should apply the patch, despite the lower risk, because a successful attacker can silently gain the same level of privileges as the affected user, which could be high. Please read bulletin MS03-033.

It’s too early to know of any possible negative side-effects of these two updates. I predict the side-effects will be minor and won’t outweigh the importance of installing the fixes.

I’ll monitor people’s reports and pass them along to you in future issues. As always, you may send me more information about this by visiting my contact page at WindowsSecrets.com/contact.

Free service finds hotspots for you - and rates them

Some of the best free software programs aren’t things you install on your PC, but services that you can access over the Internet. Such an offering has just become available, and it’s called Jiwire.com: a compendium of everything Wi-Fi.

The site went live only yesterday, and it’s trying to build up it’s services and visitors slowly, so it hasn’t issued any major announcements. You’ve read it here first.

There are lots of Wi-Fi hotspot directories, but Jiwire’s interactive world map is stunning. Imagine super-detailed MapQuest street guides highlighting every access point within 5 miles of you (primarily in the U.S., Canada, and Europe). That’s good, but what makes Jiwire great is that they’ve actually paid reviewers to go to as many of the locations as possible – and tell you which ones have food, power outlets, and rest rooms.

According to the new site, “jiwire” is a verb. It means to connect devices wirelessly, perhaps as you “hotwire” a car to drive it keylessly. The service’s president, vice president, and CTO – Kevin McKenzie, Jeff Pittelkau, and Craig Lurie, respectively – were previously associated with CNET Networks’ online shopping services in various capacities.

Besides compiling pay-for-service hotspots, such as Starbucks, the site claims to have identified numerous free access points. The greatest number of free listings at present are in Atlanta (115), San Francisco (108), and Seattle (105). There’s a lot of other great information here, too, but I feel the need for a latte coming on. Jiwire.com

Plugging in a printer makes your PC not boot up

The problem I’m about to describe would have driven me nuts – and driven you nuts, if it had happened to you, I’ll bet – so I’m thankful that it’s been diagnosed by a faithful reader instead.

The problem is that having an HP All-in-One printer attached to a PC stops that PC from booting. Norbert Loske explains how he figured this out and how he fixed it:

• “I ran into this quirky problem twice. I recently installed two Dell Dimension 4600 computers. I installed and configured all software, and everything was working fine – until I rebooted for a driver install. The system went to a black screen and would not boot. After nearly an hour with Dell support, I got nowhere.

  “I noticed that if the printer was not connected, the system booted just fine. A search of knowledge bases led me to HP. They had an article that explains that their HP 2210 printer may cause some systems not to boot due to their BIOSes attempting to boot from a USB device. The HP 2210 printer has a card reader built in. The solution is to change the BIOS not to boot from USB.”

I confirmed this myself by reading HP’s Customer Care bulletin. The problem affects not just HP PSC 2210 printers but also the HP PSC 2170 series. Here’s how HP describes it:

• “This happens because the computer BIOS (Basic Input Output Software) has the ability to boot from external USB mass storage devices and tries to boot from the all-in-one photo card reader, which can be used as a USB mass storage device. The hardware standards call for the BIOS to be able to respond to both 32-bit (such as the all-in-one card reader returns) and 64-bit signals. The BIOS in some computers does not meet the standard and will only recognize 64-bit signals, therefore the BIOS continues to wait for a response that it has already received. This problem may also occur when using any photo card readers or external USB storage devices with the computer.”

So even having a digital camera plugged into a USB port might cause a computer not to boot!

The HP article asserts that Dell Dimension PCs have the problem, and prescribes a 7-step procedure to disable booting up from USB devices. This procedure apparently can be reversed if you ever do need to boot from a USB hard disk or whatever. Sheesh, I hope I don’t run into too many more mind-wracking gotchas like this one in the near future.

Egg-ceptional: Flash animations that rock and roll

A lowly egg rolls into your browser window on a smooth, azure-colored background. The ovoid object kind of seems to be following your mouse pointer around, but then…? It begins to have a life of its own, too. As you watch, the egg takes on new shapes, grows legs, walks around, turns into a cube, and more. You’re at Vector Park, a place where a little Flash goes a long way. After you’ve tired of Eggy, click the pointing hand icon and you’ll find plenty of other stuff to look at. My favorite is Leaves, but it’s impossible to describe. You have to see it for yourself. Egg