[Dshield] New Microsoft Windows RPC vulnerability

Keith Bergen keith at keithbergen.com
Wed Sep 17 18:43:34 GMT 2003


A friend of mine tried to make the argument that killing port 
135 was good. The other problem that I have seen with killing 
it is that the Task Scheduler relies on port 135. I found 
that one out the hard way. I killed 135, and killed my 
DShield submissions! They were scheduled. Also, many 
antivirus software rely on Task Scheduler to get updates, or 
to run scans. Those would stop.

In short, I disagreed with my friend. Port 135 is a necessary 
evil (in my house), and if you install your network behind a 
NAT router, you should be more safe. Let's just hope that 
we've seen the last vulnerability of DCOM.

Now, if you don't use Task Scheduler or Winfax, or anything 
else that relies on RPC, you should be fine, right?

Keith.

---- Original message ----
>Date: Wed, 17 Sep 2003 13:58:56 -0400
>From: "Guy Barnum" <GuyBarnum at Armscole.com>  
>Subject: RE: [Dshield] New Microsoft Windows RPC 
vulnerability  
>To: "General DShield Discussion List" <list at dshield.org>
>
>I decided to follow up on one of these DCOMbobulator plugs.  
Has anyone else tested their client server apps against 
DCOMbob.exe?
>
>The grc.com web site indicates that basically no one but 
hackers would use DCOM to violate your computer so everyone 
should just shut it off.
>
>There is a small company by the name of Symantec which uses 
DCOM and the RPC server for their Winfax client server 
connection.  Arguably installing winfax software could still 
be considered a system violation...  If I found an 
application used as widely as Winfax, which won't work with 
DCOM turned off, in the first 5 minutes of testing 
DCOMbob.exe surely there are many more out there and it might 
not be a good practice to tell everyone in the whole web-
world to start turning off DCOM.
>
>I can picture IT support personnel trying to figure out why 
their client server app of choice isn't working on x number 
of systems and how they would figure out the users have read 
articles like this and turned off their DCOM services.
>
>Guy
>
>-----Original Message-----
>From: Rick Leske [mailto:rick at jaray.net]
>Sent: Tuesday, September 16, 2003 11:24 PM
>To: General DShield Discussion List
>Subject: RE: [Dshield] New Microsoft Windows RPC 
vulnerability
>
>
>Well here's a better explanation: http://grc.com/default.htm
>
>hth,
>
>~Rick
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list