From: Graham, Robert (ISS Atlanta) (rgrahamISS.NET)
Date: Thu Oct 16 2003 - 08:23:49 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ISS has released a freeware utility to help scan for this vuln. We feel this vuln is pretty important -- at the same level as Blaster and Slammer. It is as wide-spread as the RPC/DCOM vuln exploited by Blaster, and it can easily lead to Slammer-style worms that slam out a flood of UDP traffic.

The tool is available at:
http://www.iss.net/support/product_utilities/
Note that it's unsupported, and that it's pretty raw at the moment, but the bug is pretty new.

One of the interesting aspects of the Messenger bug is that the patch disables the MS-RPC interface to the Messenger Service. IT departments can use my tool (or a wide variety of other messenger popup spam utilities based on RPC) to constantly notify users to apply the patch. As soon as they patch their systems, they automatically fix the problem of messenger popup spam. I think our own IT department is planing to run the tool on the internal network in order to "nag" our own users into submission. The side effect we are hoping for is that users fix the problem by applying Windows Update, which fixes other problems as well (such as MS03-039).

In other words, use the utility now to nag people into updating, then use it a week from now to actually find systems that haven't been updated.

Robert Graham
Chief Scientist, ISS

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa. Promotion expires
12/31/03 and cannot be used in combination with other offers.

----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]