• United States

Reining in Blaster

Aug 18, 20036 mins

* Patches from SuSE, FreeBSD, Red Hat, others * Beware the latest Trojan's * No back doors for CIA in our code: Microsoft, and other interesting reading

It looks as if the Blaster outbreak is now well under control if not completely contained. But I did get a few tips from readers that had infected non-patched Windows machines that could be useful for future viruses.

Reader Craig Cox writes:

“I bought time for downloading patches by making a very small download of Zone Alarm.  This will shut off the affected ports, permitting larger downloads such as the Symantec removal tool or the Windows Update to take place unmolested.”

And reader John Everson used this method when fixing a relative’s machine:

“The first thing I did was change the way errors were handled for the RPC service. Basically you change it from “Restart the computer,” and that fixes the rebooting problem (and saves some stress, etc.). Here are the steps (if you’re interested):

* Go into the services applet/application/console.

* Right-click the “Remote Procedure Call (RPC)” service.

* Select Properties.

* Go to the “Recovery” Tab.

* Change each of the failure options to “Take No Action.”

Naturally once you’re done cleaning up, you might want to change these options back to “Restart the Computer.”

Thanks to both for their tips. For more on the Blaster aftermath:

Blaster worm attack a bust

A scheduled denial-of-service attack against Microsoft’s main software update Web site did not materialize Saturday, as computers infected with the W32.Blaster worm failed to find their target. IDG News Service, 08/18/03.

Microsoft aims to outsmart denial-of-service attack

Microsoft on Friday took steps to defend its patch download site from a denial-of-service attack expected to be launched this weekend by machines infected by the now notorious Blaster worm. Network World Fusion, 08/15/03.

Microsoft, under attack, releases Blaster security advice

With a new version of the W32.Blaster worm on the loose and set to spawn a massive denial-of-service attack on a Microsoft Web site Saturday, the software maker Friday released a set of security guidelines for users in an effort to minimize the damage. IDG News Service, 08/15/03.

Today’s bug patches and security alerts:

SuSE releases kernel patch

A new update of the SuSE Linux kernel fixes a number of bugs and vulnerabilities that were discovered over the past couple weeks in previous versions of the code. For more, go to:


FreeBSD patches ibcs2

FreeBSD is warning of a flaw in ibcs2, a kernel option that “provides system call translation for running Intel Binary Compatibility Specification 2”. The flaw could be exploited by an attacker to view kernel memory. For more, go to:

DoS vulnerability in FreeBSD’s signal

FreeBSD’s signal code, which handles asynchronous events, contains a buffer overflow that could be exploited by a local user in a denial-of-service attack. For more, go to:


Red Hat issues new ddskk packages

A flaw has been found in the way ddskk, a simple Kana to Kanji conversion program, uses temporary files.  This flaw could be exploited to overwrite arbitrary files on the affected machine. For more, go to:

Red Hat patches network configuration package

A number of bugs have been found in the network configuration utility for Red Hat Linux 9.0. A new version is available that fixes the flaws. For more, go to:

Red Hat fixes cdrtools bug

A bug has been found in the CD-burning software cdrtools for Red Hat Linux 9.0. It’s more of an annoyance than a security issues. A fix is available. For more, go to:

Red Hat patches KDE

A vulnerability in KDE’s Konqueror, in which authentication credentials may be sent to unintended third parties in clear text. An unauthorized user may be able to gain access to a password-protected site by exploiting this flaw. A new kdelibs package from Red Hat fixes these issues. For more, go to:


SGI warns of DoS flaw in IRIX

A flaw in the way SGI IRIX’s nfsd code could lead to XDR decoding errors, which can trigger a system panic. A remote user could exploit this to cause a denial of service. For more, go to:

SGI issues warning on Checkpoint/Restart flaw

A flaw in SGI IRIX’s Checkpoint/Restart (cpr) application could be exploited by an attacker to overwrite certain files. A fix is available. For more, go to:


Apple patches realpath

A flaw in Apple’s realpath function could be exploited by sending a path name that is 1,024 characters long through the function. Any application that calls the function could be susceptible to a denial-of-service attack, or an attacker could run arbitrary code. For more, go to:


Conectiva releases patch for lynx

A CRLF (Carriage Return, Line Feed) injection vulnerability has been found in Conectiva’a implementation of lynx, a text-only Web browser. A fix is available. For more, go to:


Today’s roundup of virus alerts:

W32/Donk-C – A virus that attempts to spread via network shares and installs a Trojan horse backdoor on the infected machine. (Sophos)

Troj/Graybird-A – Another virus that drops a Trojan horse on the infected machine. This virus spreads via e-mail with a subject line of “updated” and an attachment named “03-26updated.exe”. (Sophos)


From the interesting reading department:

Review: AppShield edges InterDo in battle of Port 80 filters

A new class of products – often-dubbed Web application firewalls – attempt to thwart Port 80 focused attacks by using blacklist- and whitelist-style input filtering. See how six products rated in our tests. Network World, 08/18/03.

No back doors for CIA in our code: Microsoft

Creating back doors for the CIA would be a “stupid decision” as the feature would certainly be discovered, says Microsoft’s chief security strategist Scott Charney. The Age, 08/15/03.