XP Firewall and blaster worm

  • Thread starter Thread starter Gary
  • Start date Start date
G

Gary

I run XP Home and always have the XP firewall enabled on
my dialup connection. I also have the w32.Blaster.Worm
virus definition in my virus scan software. I never allow
the automatic update service to run (always disabled--I
have always taken a dim view of automatic software
downloads and/or installations, also, "better the devil
you know than the devil you don't"--give me a service
pack update a year or two down the pike). Is there any
way blaster can connect to my TCP port 135 if it happens
to find my IP (which is dynamic, being a dialup, and
changes on every connection) while I am connected? I
can't find the particular port blocking menu, which I
have seen somewhere in the maze of menus on xp in the
past. I don't allow any remote access to any services on
my computer (in the firewall settings menu). Do I still
need the patch, and if so, why?
 
Everyone needs the patch - no ifs, ands or buts. I'm not convinced the XP
firewall is the greatest thing since sliced bread, but even the best
firewall is no substitute for regular patching.
 
Not to be rude, but if I had wanted company policy I am
aware of that. I would still like to see a response from
someone with the technical expertise to reply directly to
the issues I raised in the initial posting. Thanks.
 
I answered your question, I think - everyone needs the patch. Even dynamic
IPs, dialup accounts, are susceptible.
 
No, you didn't answer the question, and having just spent
most of the day finding the answer (and I do appreciate
the mvp post above about checking the security faq's
before posting, because that put me on the long, long
trail of answering the question) I can understand why.
Whew! If you were simply agreeable to immediately (as
in, "before it has been in the field for a while and
tested in a variety of environments") installing the
patch at MS03-026 (and as I suspected, I have seen a lot
of people posting today developing immediate problems
with installing the patch--who tests the tester?)then you
would indeed fix the basic problem, i.e., the failure of
Windows RPC service to properly check message inputs
under certain circumstances, which would cause a buffer
overrun which would permit an attacker to execute
arbitary code (presumably through the underlying DCOM
interface which listens to RPC without properly checking
the data passed to it--hence the patch)--the "exploit"
code in the blaster case, which then spawns a remote
shell on port 4444 and uses TFTP to download msblast.exe
and run it (I noted an interesting stopgap defense here
today--disable access to tftp.exe with NTFS
security/access permissions). Anyway, to answer my own
question, XP ICF will block the probes to TCP port 135
(where DCOM listens by way of RPC) among others by which
blaster typically gains access to RPC (and I had my port
probed to verify this--it gave the prober the silent
treatment). In conjunction with the disabling of CIS (COM
Internet Services) and its follow on RPC over HTTP I
should be safe for time being, at least until the wily
attackers find another vector by which to get to the
underlying RPC/DCOM error--which is admittedly a good
reason for accepting the patch at some point down the
line. The fact that my virus definitions now include the
w32 blaster worm should also harden my defenses, whatever
the vulnerability of the underlying RPC/DCOM software.
 
Sorry I couldn't help, did the best I could, given the phrasing of your
question. Just a note - I patched all my servers and workstations with this
about a day after it came out, and have had no trouble whatsoever. I've seen
posts wherein the patch didn't actually install, and posts wherein the patch
was installed over the worm and had problems...but for regular ole installs
over W2k SP3, NT4 SP6a, WinXP unpatched and SP1, no problem.

You asked, "Is there any way blaster can connect to my TCP port 135 if it
happens to find my IP (which is dynamic, being a dialup, and changes on
every connection) while I am connected?" and I answered that you needed the
patch, which is an implied yes. All systems need regular (albeit cautious)
patching, firewall or no. The latter is not a substitute for the former,
even if you're not on a network.

Sorry if I wasn't able to answer this to
your satisfaction, but I'm glad you found what you wanted via searching -
this is all very annoying stuff to us all! :-)
 
Gary,
did you manage to find the place in XP which lists the ports which are
blocked? You mentioned that yuou didn;t know where this was in your
original note. I'm wondering whether you managed to find the answer to
that as well? (I can't find it either)
 
Back
Top