Security

Friday, September 12, 2003

Water Leaking through the Duct Tape

So the minimally competent programmers in the code mines of Redmond forgot to check another buffer. Swell. So some ISPs have blocked the ports used for the Microsoft RPC services involved, which leads Jon Udell talks about folks blocking tcp/135 and the subsequent loss of network neutrality. In the course of the article he mentions RPC-over-HTTP.

I don't agree with Internet access providers' blocking ports. It just causes the problem to move to another port. SOAP, RPC-over-HTTP, and other crap use HTTP as a transport because HTTP ports are assumed to be readily available. And they use HTTP because they can: the Internet Protocol is just that flexible. Besides, you can always capture some eyeballs to encourage patching.

On the other hand, I don't like the RPC portmapper, whether OSF DCE/Microsoft's or Sun's, because it's a pain-in-the-ass to secure. For one thing, it exposes too much information about a host. For another, the portmapper points to services that listen on arbitrary ports. That's its role. It's necessary because those services are available on arbitrary ports. Since the ports are abitrary, I can't block them at a lower level — I don't know where they will manifest themselves. I have to trust that they'll secure themselves.

Something which, as Microsoft has so adequately demonstrated over the past few weeks, they do not do.

2:02:22 PM # Google It!
categories: Security

September 2003
Sun	Mon	Tue	Wed	Thu	Fri	Sat
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30
Aug Jan