Organizations that use Microsoft Corp.’s Windows software were scrambling last week to patch vulnerable systems after the company sent word of three more critical Windows software vulnerabilities.
Marathon patching sessions, antivirus updates and expressions of frustration with the Redmond, Wash. software maker were the norm, as systems administrators rushed to protect themselves from any other Blaster-style worm that may appear and exploit the new security holes.
The critical holes were found in an interface to a Windows component called the RPCSS service and affected almost every version of Windows. The RPCSS service processes messages using the RPC (Remote Procedure Call) protocol, which software programs running on different machines use to communicate, according to Microsoft Security Bulletin MS03-039. (See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp.)
That made the latest bulletin similar to another recent RPC vulnerability, MS03-026, which was later used by the W32.Blaster and W32.Welchia worms to infect computers worldwide.
For that reason and others, companies affected by the new vulnerabilities wasted no time in mobilizing staff to patch their Windows systems.
IT staff at the Maryland Department of the Environment immediately began deploying patches to affected servers and user workstations. The department manages about 1,200 machines in total, with Windows on almost 100 per cent of the workstations and many of its servers, according to Hank Torrance, lead networks specialist at the Department.
Unlike their colleagues in the state’s Motor Vehicle Administration who had to contend with a massive Blaster outbreak, staff at the Department of Environment successfully applied the earlier Microsoft RPC patch, MS03-026, in July and were spared Blaster’s wrath, Torrance said.
The department is using the same approach with the latest vulnerabilities: relying on the built-in Windows Update feature to patch desktops and Novell Inc.’s ZENworks configuration management tool to push the patch out to affected Windows servers, he said.
The Blaster worm had a profound effect on the way that technical staff at Young Electric Sign Co. (YESCO) reacted to Microsoft’s announcement.
The Salt Lake City maker of custom signs and electric displays spent five days in August digging out from the Welchia (or “Nachi”) worm, a Blaster derivative, which infected around 50 of the company’s 650 host machines and shut down operations in two branch offices, according to Bret Anderson, network manager at YESCO.
In the past the company’s reaction to patches, including the last major RPC patch, was relaxed, he said.
“You know, Microsoft comes out with patches once a week. So we’d say ‘maybe I’ll get to it this week, maybe next week,'” Anderson said.
Generally, staff was prompt in patching servers, according to Anderson.
“But clients? Whatever,” he said.
This time around, Anderson summoned the other network administrators immediately upon learning of the new RPC holes and called for an all-out effort to get affected systems patched, he said.
“I told them ‘I guess we’re gonna have a late night. Get patching’,” Anderson said.
Anderson also modified YESCO’s routers to block RPC and UDP (User Datagram Protocol) traffic, just to be sure, he said.
To prevent infection from worms and viruses that might use the new vulnerabilities, YESCO uses antivirus software from Sophos PLC on the desktop and at the Web gateway, he said.
The University of Florida in Gainesville also learned valuable lessons from the last round of RPC worms, according to Network Security Engineer Jordan Wiens.
After fighting infections from both Blaster and Welchia that originated from a pool of “random users” who connected to the university intranet through dial-up and wireless network connections, IT staff at the university deployed a range of home-grown technology to cut short future infections.
With links to the university’s intrusion detection system (IDS), the new tools will automatically disconnect users from the intranet once outbound worm attack traffic is spotted, Wiens said.
Infected users are presented with pop-up messages with links to University resources for cleaning infected machines and obtaining the appropriate Microsoft patch, he said.
In the meantime, IT administrators across campus are scanning for vulnerable machines and using e-mail notification to get staff and students to patch their systems, he said.
While touting their increased vigilance, system administrators also expressed frustration with the frequency of critical software patches from Microsoft.
“I hate to say anything about Microsoft, but with all these vulnerabilities, they’re keeping us busy patching,” Torrance said.
“It’s just ridiculous,” YESCO’s Anderson said. “It takes up too much time. We’re kind of understaffed anyway for the number of users we support and (patching) is not what we had planned to do today, tomorrow or over the weekend.”
The frequent patches have Anderson looking more closely at using the Linux operating system on the desktop, he said.
The prompt reaction is probably the result of network administrators getting questioned about Blaster outbreaks and unpatched systems in August, according to James Foster, director of research and development at security company Foundstone Inc.
Despite fears about software patches breaking valuable systems, companies large and small should be looking into patch management and automatic software update features to quickly disseminate fixes, especially during the summer, when virus writing activity peaks, he said.
“The risk of breaking your systems is still smaller than the risk of not patching for a vulnerability such as this,” Foster said.