En una de las listas de seguridad dedicadas a la gestión de parches de sistemas de Microsoft (WSUS-PATCHMANAGEMENT) han dejado un mensaje hace unas horas poniendo en duda que el exploit público que utiliza la vulnerabilidad recientemente descubierta en los servidores DNS de Microsoft afecte S�LO a los servidores.
D’Amico es un colaborador habitual de esta lista asà que, sin ánimo de alarmar a nadie, os copio el mensaje completo. Juzgad vosotros mismos y permaneced alerta a las novedades por si acaso.
Our security team has identified 25+ computers that have been exploited via RPC on a port higher than 1024. Their operating assumption is that it is this exploit but NONE of the stations are SERVER OS’s. I am quoting here from our security team.
(…I don’t think Microsoft is aware of the full extent of the problem just yet, or they’re simply refusing to acknowledge it. We were on the phone with two of their people today who seemed to be mostly clueless about this exploit. We’re currently doing forensics on a system (XP SP1) that appears to be compromised in the same manner, but it falls outside the range of the supposedly ‘exploitable’ operating systems.
The complexity of the attacks is also beginning to vary as it appears the exploit is slowly being spread in the underground. I promise I’m not doing this through some type of security voodoo, and am only calling it like I see it. The signature presently in place is very broad in nature and only looking for specific & successful RPC binds to ports greater than 1024, so it may in fact be detecting other unknown RPC exploits all together. Feel free to pass this on if you deem it necessary.»
My point is if we are assuming that only server OS’s are vulnerable to this exploit we may be in for a rude awakening. At least one of the compromised boxes was a fully patched WIN2K Pro desktop.
Would one of you MVP’s please inquire with MS as to their explanation for this set of events?
Once I know more I will share what I can.
Blaine A. D’Amico
University Systems Security Architect
The George Washington University
ISS/CIMS