|
I
agree with a lot of what you both have said, however the fact remains that RPC
is, in and of itself, an insecure system - RPC is built around the assumption of
trust - it must implicitly trust everyone to do its job.
Using
RPC, a client connects to a server and requests information for connecting to a
particular service (that's the function of the end point mapper - which is what
runs on port 135). The client then contacts that service which handles the
authentication itself.
So -
the end point mapper by definition has to trust everyone. There is no
authenticate before ask concept in RPC - authentication happens AFTER RPC
communications are already established. That's the core
problem.
Roger
--------------------------------------------------------------
Roger D. Seielstad -
MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
Glen,
I agree 100%. The point that remains is that this
is software - just like Solaris, Linux, AIX, OS/390, OS X, ad infinitum.
Humans wrote it, humans make mistakes, software therefore has bugs.
Windows is the most targeted software because:
A. It is written to please consumer needs and
feature requirements
B. Security, up to the last couple of years, has
not been a focus
C. There is more of it to attack than anything else
on the planet
I surmise that if overnight Windows disappeared and Linux
(or any other OS) became the dominant player (another OS will eventually
become dominant - it's inevitable, maybe MANY years down the road, but....)
that new OS will be the most hated and attacked OS on the planet as everyone
who is tied to Windows runs to support/exploit/profit from the
newcomer. Come the days of Windows NT 4.0 and Windows 95/98 - no
one cared. Until however, the big shift began in the server market and
the Internet began to become proliferated with more and more Windows systems
ripe for the picking.
Go after the low hanging fruit. Kind of asinine to
try and exploit a highly secure system if there is interesting stuff on this
machine with the Administrator password set to 'pillage'.
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active
Directory
Associate Expert
Expert Zone -
www.microsoft.com/windowsxp/expertzone
True rodger, MS could stop using it.
However in of itself RPC isnt the bad guy, and MS would need to replace it
with something else, which based on their track record would still have vuln's
and require a fair bit of patching.
G.
----- Original Message -----
Sent: Friday, September 12, 2003 5:30
AM
Subject: RE: [ActiveDir] New RPC
DOS
You miss my point. The question was what Microsoft could do to fix
all these RPC issues. The answer is to stop using it, which was going to
take time..
--------------------------------------------------------------
Roger D.
Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis
Inc.
But
if you use applications like Outlook with Exchange 5.5 then you can't
communicate.
-----Original
Message-----
From: Roger
Seielstad [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 11, 2003
9:41 AM
To:
'[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] New RPC
DOS
The
solution is to do away with RPC entirely - but that's a major rewrite of
things. On the other hand, I have plenty of Unix boxes running with RPC
disabled and they run fine.
Let's remember
RPC's major functionality can be replaced, but that's at the expense of
more complex application design.
Roger
--------------------------------------------------------------
Roger D.
Seielstad - MTS MCSE MS-MVP
Sr.
Systems Administrator
Inovis
Inc.
-----Original
Message-----
From: Rick
Kingslan [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 11, 2003
12:22 AM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] New RPC
DOS
Todd,
>> Anyone
have a clue as to how Microsoft plans to fix the RPC system to make it
more secure?
Concentrate maybe
one or two more people on looking at error checking on the input into the
arrays/buffers in the RPC code? ;op
I mean, really -
a vuln lays around waiting for someone to find it for years, and in this
short of a time 3 more vuls are found in roughly the same area, just
different vectors? I sure hope that there is a team pouring over the
code that makes up RPC.
Rick
Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active
Directory
Associate Expert
Expert Zone -
www.microsoft.com/windowsxp/expertzone
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)
Sent:
Wednesday, September 10, 2003 2:15 PM
To:
'[EMAIL PROTECTED]'
Subject: [ActiveDir] New RPC
DOS
Our Microsoft
TAM notified us of this new issue. I waited to give them time
to publish it to the various news sites.
At 9AM PST, PSS
will be announcing a new critical security bulletin
(MS03-039). This bulletin will address an RPC
denial-of-service vulnerability in Windows products.
Please take the time today to go to the www.microsoft.com/security site to
obtain the patch and directions for implementation. Just
trying to help you stay one step ahead!
I think it is
very important to get this update on all your DC's even if they are behind
a firewall ASAP. We managed to mitigate blaster but these RPC DOS
are starting to get really nasty.
Anyone have a
clue as to how Microsoft plans to fix the RPC system to make it more
secure?
Thanks,
Todd
Myrick
|
