Microsoft DNS Vulnerability - Exploited!

If you didn't apply the registry hack on your Microsoft DNS servers yet (CERT VU#555920, Microsoft Security Bulletin #935964), now would be a good time. There is known exploit available and in use. Apparently, the Rinbot worm is now using the exploit and it's been added to Metasploit. I'd expect to see attacks pick up rather than decrease at this point.

For the blissfully unaware, the exploit uses a buffer overrun to elevate privileges. Being a DNS attack, this can allow DNS poisoning, pharming, and DOS. Since most people put the DNS server on their domain controller, an attacker who compromises your DNS server is able to compromise your Active Directory. At that point, you are looking at a very bad situation and a minimum of one very long night.

Microsoft DNS Vulnerability

UPDATE(2007-04-17): This vulnerability is currently being exploited in the wild.

Microsoft released a security bulletin (#935964) last night advising changes to Windows Server 2000 and Windows 2003 Servers running DNS.

It looks like they are recommending a registry hack to block an RPC exploit on DNS servers. Also, the bulletin states that they are working on a full fledged patch, so be looking forward to that.

RyanVM Integrator

Ok, so I haven't spent a lot of time or energy creating an imaging system to rapidly deploy cloned PCs. When I started here, I thought it would be a must have item. It actually hasn't been that important. The procedure so far has been to use a slipstreamed Windows XP Service Pack 2 CD to install the OS while offline then use c't Offline Updater to patch the computer with post-SP2 critical patches. Once that's done, I plug into the LAN and go to Microsoft Update to get the rest of the patches. A couple software installs (anti-virus, Microsoft Office, Adobe Reader) from the NAS with one more MS Update hit (for Office patches) and we're off and running.


I think we can improve that system though and still not need to move to an imaging solution. That's where RyanVM Integrator comes in. From the site:

"This pack is designed to bring a Windows XP CD with SP2 integrated fully up to date with all of the latest hotfixes released by Microsoft since SP2's release. It accomplishes this task via direct integration, where files on the CD are directly overwritten by the updated files."

The beauty of this system is that there is zero lag time between installing the OS and installing patches. They are installed simultaneously with the OS! This saves:

• time by installing files once, rather than installing them then overwriting them with patches,
• space by not needing to download patches and extract them,
• headaches by providing a secure OS from the moment of installation.

TechRepublic has a nice howto article, so I won't bore you with the details of how to set the Integrator up.

The post-SP2 update pack, which includes the patches released after SP2, seems to lag behind Microsoft's patches slightly. As of today, the latest RyanVM pack (version 2.1.8) is dated 3/20/2007. That misses the .ANI fix and the patches that came out yesterday. I think that it might not hurt to run this in conjunction with c't. So, here's my new procedure:

1. Install the integrated Windows XP,
2. Run c't Offline Updater,
3. Plug into LAN,
   
4. Install software,
5. Go to Microsoft Updates for the latest Office updates.

What do you think? Do you have any improvements on that practice?

Microsoft Emergency Patch Released

Microsoft has released an unscheduled patch to fix several critical vulnerabilities. Do not wait. Go now and patch your systems. (If you've been following this blog, then you can do it from home!)

Oh, and don't worry, apparently Patch Tuesday is still on schedule so you won't be bored next week!

Vista UAC

Unfortunately, I haven't had the opportunity to mess with Vista yet. (I missed my shot at the second beta. :( ). One of the features I've been looking forward to is UAC (User Account Control).
I've tried using Least Privileged Account practices in XP and it is a real pain. I actually tried multiple times. The first time I gave up immediately. The second time took slightly longer to make me cry "uncle". I never made it more than a week, though.
I mention it because of this post on ZNet:

Should Apple be making fun of Vista UAC? by ZDNet's George Ou -- Windows Vista UAC (User Account Control) has an additional security feature called Secure Desktop that hardens the UAC privilege escalation prompt, but some people seem to be upset with this feature because they say it's annoying. Apple has even gone as far as making a new TV commercial out of it with "PC" being bossed [...]

UAC is the right move by Microsoft. It's at least five years too late but now that it is here we need to encourage people to use it, not spread FUD and scare them away. I'm not bashing Apple. I think they have some great products. But shame on them for this cheap marketing trick.

Windows Server 2003 SP 2, Part 2 (So Far, So Good)

I got SP2 installed, as promised. Only one weird thing in the Application Log, an Event ID 5603 complaining about RSOP Planning Mode Provider running as a Local Service. KB915148 says this is normal behavior for SP1 and XP SP2, so I'm thinking all is well in update land.

I'd stay and chat, but I've got four more servers to update!

Windows Server 2003 SP2 Released!

Maybe the reason there weren't any patches from Microsoft this week is because they were gearing up to release Service Pack 2 for Windows Server 2003.

I'm just downloading now. I have a server to test it on tonight. I'll let you know how it went!

c't Offline Update Project

The problem with new installs of Windows is that you know that you can't hook the computer to the Internet until it has all of the security patches. You also can't get the security patches until you hook up to the Internet. In the past, I've hooked machines up and raced to Microsoft Updates, praying that the updates take before the crackers find the computer.

The Solution

c't Offline Update Project (German page, English translation) is a collection of scripts that locates Critical and Security updates from Microsoft Update and downloads them to your PC. It then creates an ISO with the scripts and patches which you can burn to create your offline patch CD.

You can now install Windows on a computer and leave the network cable unplugged. Once Windows is installed, you can insert the c't Offline Update Project CD into the computer. The script autoruns, you click START, and then you can walk away. The scripts take care of finding what patches are needed, installing the needed patches, and rebooting the computer (as many times as necessary). When it's all done, a report appears on the screen to tell you what patches were installed and any problems that may have occurred.

In my experience, this not only gives you a more secure computer to go out and get the rest of your patches but it also patches more quickly. Without having to go online, check for patches, download, install, reboot, and repeat a few times, it shaves at least 30 minutes off of my prep time (note: I haven't actually timed that, YRMV).