Dept of Homeland Security Advisory for Windows OSes

After the army and DHS have recently signed deals with Microsoft worth hundreds of millions, they suddenly “notice” security issues. It’s not the first security hole, and surely not the last, but this is a welcome announcement from the DHS’s National Infrastrtucture Protection Center. For the latest patches for your Windows boxen, see Microsoft’s related page. In Microsoft’s defense, Unix and GNU/Linux are not secure in most distros by default, but it’s far easier to lock down and disable uneeded services on a Unix or GNU/Linux system. Windows Server 2003 is also affected, unfortunately, even though it installs with most services disabled by default.

This specific security hole affects RPC (Remote Procedure Calls) made to TCP and UDP ports 135, 139 and 445, so block those at your firewall right away. I suggest installing the patch even if you have those ports blocked to the Internet, some internal user may open an e-mail worm which spreads havoc from inside your network. Apparently the RPC service does poor buffer checking and is vulnerable to overflow attacks. For you C/C++ developers there, that’s where the input buffer reading data from the socket assumes a specific length and doesn’t check for too much data, such as declaring “char buffer[4096];” and not checking to see if 4097 or more characters have been written before copying the data to the buffer.

This entry was posted in Uncategorized. Bookmark the permalink.