rip off (now totally OT)

"Mike H" <[email protected]> wrote in message
news:[email protected]...
> Outgoing mail could be Virus Free, but then again we could be lying.
> Who knows, who cares? It's only and advertisement after all.
> Chequed by AVG anty-vyrus sistem (http://www.willysoft.com).
> Verzion: 13.0.395 / Vyrus Databaze: 2350 - Releaze Date: 31/02/04

LOL, I like that.... but if you had the latest super-leet version of the
virus killer it would read:

OU+9oinG M01l C0Uld b3 viRU5 FR33, BUt then AGAiN w3 c0ULD be lyIN9.
wHo KNOW5, WHO CAre5? I+'$ 0nlY 4nD 4dv3RT15emEn+ @pht3R 4lL.
cH3kw3d 8Y @v9 4NTy-VyrU$ 515T3M (hT+p://WWw.W1lly$of+.com).
vErZI0n: 13.0.395 / vyRU$ Da+4b4zE: 2350 - reLE4Z3 daTE: 31/02/04

Also, I've noticed that most viruses that have caused any significant
problem this year exploit security holes/features that have had official
patches released by MS months before they become a big problem... like MS
Blaster... The patch was released in early July. The virus hit big time
towards the end of August. People should try updating their OS as well!

Even more alarming is that the domain name in your virus sig exists!

Ahh... those script kiddies!

Anyway...

Adam

---

› See More: rip off (now totally OT)

Hello,

> patches released by MS months before they become a big problem... like MS
> Blaster... The patch was released in early July. The virus hit big time
> towards the end of August. People should try updating their OS as well!
What ? The Blaster worm ran on early August, as I was informed by my ISP on
08/15/2003. I had some friends' computers to clean up on 08/13 (being myself
under W98 I had no problem).
The M$ patch was a joke... Having to clean up a computer running W2k and
searching this f**king patch showed me that the hole (FYI, port 135 being
opened, no one knows why) was present since Win NT4 (released late '95-early
'96). So what ?
And support for W2k SP2+ only, had SP1 stations, had to order the (free) SP4
update CD, wait for it (4 weeks) and then only install the patch...
Why waiting, say, 6 years before pathing a safety hole ? Did they really
change everything with XP, as they said ? Obviously not, since this matter
existed for ages.

OK, a bit OT, but see : your example was not a good one, IMO.

Regards,
G.T
[email protected]
205 Diesel & turbo-Diesel : http://205d.fr.st

"G.T" <[email protected]> wrote in message
news:[email protected]...
> What ? The Blaster worm ran on early August, as I was informed by my ISP
on
> 08/15/2003. I had some friends' computers to clean up on 08/13 (being
myself
> under W98 I had no problem).

Yeah, but the patch was available in early July. Windows 98 is not immune,
but you do have to install a program that also installs the DCOM Endpoint
Mapper, Visual Studio for one example.

> The M$ patch was a joke... Having to clean up a computer running W2k and
> searching this f**king patch showed me that the hole (FYI, port 135 being
> opened, no one knows why) was present since Win NT4 (released late
'95-early
> '96). So what ?

I know why that port is open... Port 135 is open as it's used by the DCOM
RPC Endpoint Mapper (or Service Control Manager) for several things. One is
as an initial connection and negotiation point to establish what higher
ports other DCOM services are running on (such as the net messenger
service). It is similar to what port 111 does on Sun Unix machines. However,
although many programs are DCOM aware, I'm yet to come across many that are
dependent on it to run. One of the first things I do after installing a new
OS is to shutdown services that I'm not going to use, or don't want to be
used. DCOM is one of them. No point in having them running and taking up
resources if you're not going to use them.

Another thing I would do is make sure that a firewall, somewhere, is
blocking (among many other things) 135 to 139 from the internet. This might
be a firewall on my local machine (such as ZoneAlarm Pro), a hardware
firewall, or the ISPs firewall. Most *decent* ISPs will block a port for you
if you ask them nicely. It is extremely rare that you'd want ports 135 to
139 open to the internet.

Yes, the vulrnarability has existed for ages. But then so has to knowledge
to block 135 to 139 from everything but your intranet for the same amount of
time. However, what the REAL problem is that using a specially crafted
message sent to this port you can overflow the buffer and execute arbitary
code. This wasn't discovered until recently, and it was only a very short
time before MS released the patch. The patch doesn't close port 135, it just
stops the buffer overflow. Port 135 is still needed.

> Did they really change everything with XP, as they said ? Obviously not,
since this matter
> existed for ages.

No, those services still have an important role to play. However, the
standard internet connection firewall that is active by default on Windows
XP can block these ports.

> OK, a bit OT, but see : your example was not a good one, IMO.


Yes, but that's based on your incorrect assumption that the problem was that
port 135 is open (and has been for many years). This was not the problem.
The problem was the buffer overflow you can cause if you do very bizarre
things to this port. To use an analogy, it would be like saying cars have
tyres (we've known this for years), and somebody a few years later realised
that you can mess up a car if you stab a knife through the tyre. The problem
is not the tyre, nor would people start saying cars should never have had
tyres - they need them. The problem is the fact that somebody thought up a
way to maliciously exploit the fact that cars have tyres. If it became a big
enough problem then tyre manufacturers may then make their tyres knife proof
(in the same way MS fixed the buffer overflow problem). But it would be
unfair to say that tyres have existed for many years and hence should have
been made knife proof from the start. Some things just aren't that obvious.
It took well over half a decade for somebody to figure out this exploit of
port 135.

Adam