Brian's Buzz on Windows: In the aftermath of Blaster

Brian's Buzz on Windows has changed its name to the Windows Secrets Newsletter. Get the latest high-tech tricks with a free subscription. Click here to subscribe

AUGUST 21, 2003 - Issue 12

More good news from your friendly neighborhood scribbler
I've been invited to write a new biweekly feature called Executive Tech, "the newsletter for technology professionals who'd like to keep their jobs." It's being published by Datamation, a division of the Jupitermedia network of sites. The new newsletter is not about Windows but instead will unveil emerging technologies that CIOs and CTOs of Fortune 1000 companies need to know about (before their competitors do). Visit Jupitermedia's Internet.com signup page for a free subscription. --Brian Livingston

TOP STORY - info you need to make Windows work

In the aftermath of Blaster

By Brian Livingston

The serious security hole in Windows that I warned you about in the July 24 and August 7 issues of Brian's Buzz exploded onto the front pages of newspapers around the world on August 13. Hundreds of thousands of PCs - afflicted with a vulnerability in the Remote Procedure Call (RPC) of Windows - were infected by a worm that's been called Blaster, MSBlast, and Lovsan. Variants of that worm have been spreading since then, and the problem won't totally go away any time soon.

Tons of articles have been written about the Blaster worm, so I won't repeat that here. Instead, this issue of Brian's Buzz contains an overview of this and other problems you need to be aware of. I've also prepared a Special Report on steps you should take to head off even more severe problems in the future.

Microsoft gets a nightmare of publicity. The Blaster disaster, for whatever reason, generated enormous mainstream media coverage - of the kind that no corporation wants to be the subject of. Perhaps it was because the worm rebooted some PCs with only 60 seconds warning, creating a highly visible calamity. Or perhaps it was because the U.S. Dept. of Homeland Security itself had issued a rare announcement about this particular Windows weakness only days before the attack. In any case, Microsoft is now in the public eye for its security shortcomings more than ever.

Windows Update remains up. The creator of the Blaster worm designed it to flood Microsoft's Windows Update site with packets from PCs infected with the rogue program. Intended presumably as a "lesson" to Microsoft, the attack began on August 16 and was scheduled to continue unabated until December 31, 2003. It would then resume for the last two weeks of each month until June 2004.

The programmer of Blaster, however, erred by directing the attack at the domain name windowsupdate.com. This name always redirected to the true name, windowsupdate.microsoft.com. Microsoft averted Blaster's attack by simply disabling the shorter name. The service itself remains operational, although it was slowed by the many Windows users who suddenly wanted to download patches.

Microsoft's mistakes spawned more criticism. Aside from the overall topic of Windows security holes, some more recent Microsoft blunders worsened the crisis. After its original MS03-026 bulletin about the weakness in Windows was sent out, Microsoft hired an e-mail marketing firm called Digital Impact to send additional, official-looking warnings. But these e-mail messages weren't digitally signed, in violation of Microsoft's repeated pronouncements that users should consider such unsigned messages to be hoaxes.

To add insult to injury, numerous reports surfaced that Windows Update was reporting that users had successfully installed the MS03-026 patch when it had, in fact, failed. In these cases, the site tests only whether the patch has been run once, not whether it's actually installed and working. Machines that ran out of memory or failed to install the patch for other reasons would not be detected by Windows Update as still being vulnerable. (My thanks to reader Michael R. for his help with this topic.)

Windows 2000 upgrades to SP4 undo the MS03-026 patch. Take Windows 2000 machines with Service Pack 3, patch them with MS03-026, and then upgrade them to Service Pack 4. They become vulnerable to Blaster again. If you don't need the features of SP4, either hold off on installing it, or do install it and then manually disable the Windows DCOM service. (That last step will break applications that use DCOM.) A more complete description of this approach can be found in the Mitigations section of TruSecure article 03-009.

[ • IMPORTANT UPDATE • After the paragraph above was published, TruSecure sent me a correction, as follows: "TruSecure Corporation originally believed that Windows 2000 machines which were at SP3, then patched with MS03-026, and then upgraded to SP4, would become vulnerable... Subsequent testing proved this not to be the case. Systems patched in this method will retain the MS03-026 patch after applying SP4 and do not need to re-apply the patch." I'll have more on the reversal of TruSecure's alert in the next issue of Brian's Buzz.]
An unrelated virus muddies the waters. Although it had nothing to do with the RPC hole in Windows, a fast-spreading e-mail virus named Sobig.F created headaches starting on August 19. This is now considered the most rampant virus ever created. MessageLabs.com, an enterprise security service, states that Sobig.F in its first week was being carried by 1 out of every 17 e-mail messages. That far surpasses the previous record of 1 in 138 messages that carried the Klez.H virus.

I've prepared a special report on protecting your company against the coming wave of attacks. This special section, found in the longer, paid version of this week's newsletter, includes:

Detecting and patching the RPC hole.
Eradicating the worm from your machines.
Halting an infected machine's 60-second reboot cycle so you can treat the problem.

Upgrade your subscription before September 3 and the current paid version of this week's newsletter will be sent to you via e-mail. All readers are allowed to choose the level of contribution they feel is appropriate to make. To upgrade, please visit WindowsSecrets.com/upgrade.

I'm compiling readers' experiences about Blaster and other Windows problems. To send me more information about the RPC hole, or to send me a tip on any other subject, please visit WindowsSecrets.com/contact.

SPONSORED LINKS

Get 250 business cards free
Join the more than 1,000,000 small businesses that have chosen VistaPrint for their business cards. Special offer: get your first order of 250 top-quality, full-color business cards free right now.

www.VistaPrint.com

Price Watch
Powered by Amazon.com. Prices fluctuate daily.

Top 10 Bestselling Windows Books This Week

1. Windows XP for Dummies, Sep 2001, List: $21.99, Price: $15.39

2. Microsoft Windows XP Inside Out, Oct 2001, List: $44.99, Price: $31.49

3. Mastering Windows Server 2003, Apr 2003, List: $59.99, Price: $31.49

4. Microsoft Windows Server 2003 Administrator's Companion, Apr 2003, List: $69.99, Price: $48.99

5. Microsoft Windows 2000 Scripting Guide, Nov 2002, List: $49.99, Price: $34.99

6. Mastering Windows 2000 Server (4th Edition), Mar 2002, List: $59.99, Price: $41.99

7. Microsoft Windows Server 2003 Administrator's Pocket Consultant, Mar 2003, List: $29.99, Price: $20.99

8. Windows XP Annoyances, Oct 2002, List: $29.95, Price: $20.97

9. Microsoft Windows Server 2003 Unleashed, Apr 2003, List: $59.99, Price: $41.99

10. Running Linux, Fourth Edition, Dec 2002, List: $44.95, Price: $31.47

Search Amazon.com

Get a powerful e-mail publishing platform
ActionMessage.com powers the publishing of Brian's Buzz, and it can power your newsletters, too. Our full-color charts give you immediate feedback on the delivery and results of your e-mail newsletter campaigns. Contact us for a quote and a free 30-day trial account.

ActionMessage.com

Advertise in Brian's Buzz
Circulation: over 44,000. Cost per 1000: $5 per 50 words. Text-only ads get results.

Contact us now

	RECOMMENDED READING - my book reviews of tech topics In Search of Stupidity: Over 20 Years of High-Tech Marketing Disasters What was it, exactly, that befell Lotus? Novell? Borland? What makes companies that were high-flying market leaders one day suddenly become less-than-stellar the next? Merrill Chapman puts the answers together, to sometimes hilarious effect, in his new book, In Search of Stupidity. You can learn something here almost no matter what your business does. (The subjects of the book could have been selling pizzas, for all it matters.) But the afterword on the role of software development will be particularly interesting to Windows professionals. More info Web Bloopers: 60 Common Web Design Mistakes and How to Avoid Them If your company has a Web site, or is ever going to have a Web site, Web Bloopers can save you from a very painful learning process. Jeff Johnson's book ranks up there in brilliance with the classic Web design tutorial, Don't Make Me Think, co-authored by Steve Krug, who provides a foreword to this new work. Johnson's 60 rules may seem "obvious," but it's amazing how often they're broken. From stupid search-display blunders to forms that look editable but aren't, he's cataloged a compendium of errors that you're ahead of the game by avoiding. Johnson became well-known from his older programming book, GUI Blunders, but that was 2000 and this is now. Get the latest. More info FORWARDING INSTRUCTIONS - news gains value when it's shared Please share this information with your colleagues You're encouraged to refer your friends and colleagues to this free newsletter. Because most e-mail programs don't correctly display a formatted message that's been forwarded, simply call people's attention to the permanent Web address of this issue: BriansBuzz.com/w/030821. HERE'S A TIP - you'll get a better newsletter if you choose the paid version You're reading the free version of Brian's Buzz on Windows Subscribers to the paid version receive additional information in each issue. Some of the extras this week are: This week's special report. Stopping Blaster and defending against future attacks. New "critical" flaws. My analysis of severe weaknesses, announced by Microsoft on August 20, that leave machines using IE 5 and 6 wide open to a devastating e-mail infection. Free software. A new, free service that finds Wi-Fi hotspots for you - worldwide - and more. Printer stops PC from booting up. This is a maddening problem that affects many common PCs - but there's a simple fix. If you make a contribution before September 3, 2003, you'll be sent the full, paid version of this week's newsletter. You choose what you feel is an appropriate amount to support this service. To upgrade to the paid version, please visit WindowsSecrets.com/upgrade. Thanks in advance. WACKY WEB WEEK - playing for you the Internet's greatest bits Egg-ceptional: Flash animations that rock and roll A lowly egg rolls into your browser window on a smooth, azure-colored background. The ovoid object kind of seems to be following your mouse pointer around, but then...? It begins to have a life of its own, too. As you watch, the egg takes on new shapes, grows legs, walks around, turns into a cube, and more. You're at Vector Park, a place where a little Flash goes a long way. After you've tired of Eggy, click the pointing hand icon and you'll find plenty of other stuff to look at. My favorite is Leaves, but it's impossible to describe. You have to see it for yourself. Egg CLOSING REMARKS - the best is yet to come Join me on the Internet on Aug. 29 at 6:05 p.m. Pacific Time I'll be the featured guest on the "Computer Outlook Radio Talk Show" on Friday, August 29, from 6:05 to 7:00 p.m. Pacific Time. You can hear the show, which originates in Las Vegas, Nevada, by connecting with its Web site using your browser and then listening through your speakers or headphones. It's easy to do: Visit ComputerOutlookRTS.com at the appointed time. Click the "Click here to listen" link. The live broadcast is played for you by Windows Media Player. That's all there is to it. The show gives out a telephone number for questions from listeners, so it should be interesting! --Brian Livingston
	BRIAN'S BUZZ ON WINDOWS is edited by Brian Livingston, co-author of Windows 2000 Secrets, Windows Me Secrets, and eight other books. Research Director: Vickie Stevens. Technical Editor: John J. Armstrong. Program Consultant: Sean Downing. The newsletter is published twice a month on alternating Thursdays by Secrets Pro LLC, 300 Queen Anne Ave. N. #456, Seattle, WA 98109 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Copyright © 2003 by Secrets Pro LLC. Anyone may subscribe to this newsletter by visiting WindowsSecrets.com/signup. To change your delivery address: log in at WindowsSecrets.com/prefs/?a=cP. To change your other preferences: log in at WindowsSecrets.com/prefs. Subscription help by e-mail (fastest method): Visit WindowsSecrets.com/contact. Subscription help by facsimile: 206-282-6312 (fax). Emergency subscription help by phone: 206-282-2536 (24 hours). To unsubscribe from Brian's Buzz on Windows: Visit WindowsSecrets.com/unsubscribe; or If this newsletter is being forwarded to you by an acquaintance, and you don't wish to receive it, ask him or her to stop forwarding it. All subscribers are covered by my Ironclad Privacy Guarantee: I will never sell, rent, or give away your address to any outside party, ever; I will never send you any unrequested e-mail, besides newsletter updates; and All unsubscribe requests are always honored immediately, period.