My turn to weigh in on this...
First of all, a fifty-dollar firewall probably will protect you from this RPC virus! Yes, it's true that most firewalls don't block UDP... but the UDP would have to be transferred directly to your machine to have an effect. Unless you've got a static mapping for all TCP and UDP ports on your firewall pointing at your workstation, then you'll be fine. I've tested this in a lab, and it works (yes, we have a copy of the worm "in captivity").
Second, the most important thing to realize (which I discovered the hard way this morning) is that the MS03-026 patch from Microsoft DOES NOT ALWAYS WORK! It says it worked, it shows up in Add/Remove Programs, it even writes registry entries... but DOES NOT REPLACE THE BAD FILES. That means your box can still be vulnerable even though you patched it.
Where I'm working right now, we have about 200 servers that were all patched last week. This morning on a whim I created a test script that would compare file versions as well as check the registry entries (which is our default method of finding out if the patches are installed properly). Lo and behold I find 53 servers that are lacking the necessary files... running a little tool called scanms (a non-destructive tool that tests for the DCOM vulnerability) I confirmed that all of these servers were vulnerable even though the patch was showing as installed. I have to return to work at 1am and start patching before 6am... it's gonna be a long night.
Hope this helps someone avoid getting bitten the way I just have!
__________________
Ich bin ein SVXer wieder
My Rides:
Red 1996 SVX LSi (Saffron)
2007 Yamaha FJR1300 (Kaitlin)
Previously owned; green '95 L AWD (sold), black/pearlie '94 LSi (too many problems), Polo Green '96 SVX LSi (apparently notThe end of an era)
Member #2 in the Yahoo! club, been here since the beta-testing days. In dire need of a cheaper hobby.
|