The U.S. Department of Homeland Security (DHS) issued an updated advisory Wednesday entitled “Potential for Significant Impact on Internet Operations Due to Vulnerability in Microsoft Operating Systems.”
The warning listed all the major iterations of Windows server platforms as well as client-side Windows XP. The advisory said that, while the department has not yet encountered any disruptions, several “working exploits” that would grant complete remote system access to affected computers are now being distributed across the Internet.
No Problems Reported as Yet
The DHS said that no worm codes have been reported; however, “an Internet-wide increase in scanning for vulnerable computers over the past several days reinforces the urgency for updating affected systems.”
Eric Hemmendinger, research director for security and privacy at Aberdeen Group, told the E-Commerce Times that while he wasn’t aware of any particular signs, he assumed the DHS has received some indication of activity.
“Otherwise, this would be the Net equivalent of duct tape and plastic sheeting,” Hemmendinger said. “[The DHS] would be scaring people for no good reason.”
The Latest Vulnerability
Windows computers have been found susceptible to a Remote Procedure Call (RPC) vulnerability. According to the DHS, hackers can take advantage of this flaw to install programs, change or delete data, create new accounts with full privileges or invoke a denial-of-service attack on at-risk computers.
Both the DHS and Microsoft have urged computer owners and systems administrators to patch their systems as soon as possible.
Problems with the Patch
But Richard Stiennon, research director for Internet security at Gartner, told the E-Commerce Times that patching computers is a problematic solution, particularly for large government agencies.
Stiennon said that, to patch a typical Windows machine, one would need to download and install an updated service pack before the user could download the appropriate patch, a task that could take up much of a day. The Employment and Training Administration (ETA), for example, has over 50,000 desktops. Stiennon said the agency simply does not have the time or resources to patch all those PCs.
“Microsoft has become very good at patching buffer overruns, but they have to go one layer deeper,” Stiennon said. “They have to fix the way programs talk to each other.”
Returning to Port
Stiennon said Microsoft’s latest security breach is the result of relying on outdated protocols that were never meant to be deployed between machines or over networks.
According to Stiennon, port 135, one of the ports mentioned in the advisory, was designed to be used in non-Internet computing. Under those circumstances, it was an efficient protocol, but in today’s Internet world, using it to enable computers to communicate and exchange code simply is not smart.
Stiennon recommended blocking 135 at the firewall level and, if possible, blocking it inside Windows-based networks. In addition, he advised administrators to take steps to get away from the parts of Windows architecture that uses this port, including Active Directory and the Active Directory Authentication Tool.