Microsoft's urgent security update: What it means (http://news.cnet.com/8301-1009_3-10074072-83.html)

Earlier today, Microsoft did something unusual. The company made an exception to its normal security processes and issued an "out-of-band" urgent update. The update applied is classified as critical for Windows XP and older versions and is considered important for Windows Vista.

After speaking with Microsoft earlier today, I strongly suggest that users understand the importance of this update and begin emergency patching procedures immediately

The above is a quote from the article, not my own words.

Thanks, Sidney — especially when it comes from you, it seems to call for attention!

I posted the link to the CNET piece on the DTP Forum.

I just retested my Windows XP on shieldsup! at grc.com and the RPC port 135 is still stealthed even tho' I'm only running Windows Firewall ALONE at the moment.

So for many home users with adequate firewall, this might not be urgent/critical. Nevertheless, I'm off to windowsupdate.com with MS IE 7 to check it anyway, the update out of band, just in case my auto update hasn't caught it yet. Just for he heck of it, I may try Secunia PSI first just to see how current they are ;)

DH

As of about 8pm EDT, Secunia did not warn about the out of band RPC patch for Windows.

However, windowsupdate.com did warn, so I installed.

Apparently my windows security center auto update did not catch the patch yet.

BTW
VLC 0.9.4
and
Opera 9.6.1 are the latest versions of those, I think. I'm patching them now too.

DH

Microsoft's urgent security update: What it means (http://news.cnet.com/8301-1009_3-10074072-83.html)Thanks for the warning, Sidney. All nice and updated now.

Microsoft's urgent security update: What it means (http://news.cnet.com/8301-1009_3-10074072-83.html)

Thanks Sidney. I wondered why an XP update was being announced by IE on a Friday morning.

- Jeff

Microsoft's urgent security update: What it means (http://news.cnet.com/8301-1009_3-10074072-83.html)



The above is a quote from the article, not my own words.

Sidney,

Thanks for the warning. Went and upgraded right away. I've been nervous ever since I moved away from security blanket of AVG 7.5 Free to uncharted territory. Been experimenting ever since with AntiVir (mainly).

[QUOTE=sidney;48748]Windows urgent security update released (http://news.cnet.com/8301-1009_3-10074072-83.html)

Sidney,

I have a custom of always letting MS updates mellow for a period of time before installing them. I guess I have a decision to make on this one about whether to continue my policy.

Microsoft's urgent security update: What it means (http://news.cnet.com/8301-1009_3-10074072-83.html)
There's always a catch (http://www.theregister.co.uk/2008/10/24/trojan_exploits_wormable_microsoft_flaw/).

[QUOTE=sidney;48748]Windows urgent security update released (http://news.cnet.com/8301-1009_3-10074072-83.html)

Sidney,

I have a custom of always letting MS updates mellow for a period of time before installing them. I guess I have a decision to make on this one about whether to continue my policy.

If you are using the built-in Windows firewall of XP, then blocking "local are connections" in the "advanced" Windows firewall settings should effectively protect one against the vulnerability in Windows RPC (Remote Procedure Call). If you have NO home network or if you have only a single computer on your home network (e.g. a broadband router with only 1 PC connected) then there should be NO harm in blocking "local area connections" in the Windows built in firewall.

However, since according to Microsoft, the currently available patch to fix the RPC bug was easy/simple (i.e. relatively little testing was/would have been required in releasing the patch), there should be little or no danger in applying the patch. Currently I am running with only the Windows built-in firewall and I DID apply the patch. I DO have 3 PC's on my DSL router and do not feel any qualms about having installed the patch. Personally, I think there is extremely little risk by installing the patch.

DH

P.S. the reason that I happened to uninstall my 3rd party firewalls (Zone Alarm free and Sunbelt (formerly their free firewall was mfg'd and supported by Kerio)) was some minor problems in using file sharing on my home LAN (local connections). Therefore I may later re-install ZA or Sunbelt (esp. to control various apps making outgoing connections to Internet). Personally I may prefer ZA over Sunbelt because ZA makes it easy to temporarily disable the ZA firewall. This is relatively quite safe to do (temporarily disable), because the router also has a built-in firewall. If you connect directly to an old fashioned modem or to a broadband modem, then temporarily disabling the Windows (or third party) firewall would NOT be advised. Some (or many?) ISP's block port the port used by Windows RPC, so in such a case you would still be protected against the RPC vulnerability. The Shieldsup! service provided by http://grc.com (among other sites) give you a way to see what ports are blocked by your firewalls and/or ISP. Of course Shieldsup! does not tell you who is blocking the port (if it is blocked), whether it's one of your firewalls or the ISP itself who is blocking the port(s) in question.

There's always a catch (http://www.theregister.co.uk/2008/10/24/trojan_exploits_wormable_microsoft_flaw/). As far as I can see, the exploits exploit the VULNERABILITY and NOT the PATCH to the vulnerability. So it seems to me that strictly speaking, so far, it's not a CATCH.

DH

I think the bottom line at this point in time is that the vulnerability fixed by the out-of-band patch is not a serious threat to many or most home users (as opposed, for example, to corporate and business systems using LAN's).

OTOH the clickjacking vulnerability is apparently widespread in ALL browsers, not just Windows browsers, AND the clickjacking vulnerability is unlikely to be fixed soon in ANY browser since it may require substantial re-design of browser technology. AFAIK the only effective workaround to prevent clickjacking is the NoScript extension to Firefox.

Furthermore there is apparently a vulnerability in almost all implementations of TCP/IP (Internet protocols) that makes almost all Internet/TCP/IP servers (as opposed to clients) vulnerable to crashing and freezing up (only to be recovered by rebooting). This vulnerability has not been described in detail in public yet in order to give all OS mfg's time to fix it (not easy). As I said, this is not something that most home users need to worry about and it is something that even corporate customers can do almost nothing about since we ALL depend on the OS mfg's to fix it, and the mfg's are the only ones so far who have been informed about the details (we hope).

DH

the exploits exploit the VULNERABILITY and NOT the PATCH to the vulnerability.
Aha! The good "catch" is yours!

Aha! The good "catch" is yours! I hope the Rays make some good catches too. I'm not a real fan, but at least I have an old beat up Devil Rays hat to keep the sun and rain off my eyes ;)

DH