joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Windows Patches…

by @ 7:32 pm on 7/11/2006. Filed under tech

It is patch Tuesday and there is at least one critical that folks should probably pay attention to if they just plain run Windows.

http://www.microsoft.com/technet/security/Bulletin/MS06-035.mspx

Mailslots used to be used quite extensively on Windows and still are in use now. That messenger service, no not that MSN Messenger thing, the one that receives NET SEND messages uses a mailslot called \\.\mailslot\messngr. I wrote a program for Win9x forever ago (in the 90’s) that allowed Win9x machines to receive (but not send) the NET SEND aka Messenger messages so I did look at mailslots a little bit back then.

Things have changed and not as many things are using mailslots anymore but just because you have the messenger service shutdown on your machines don’t think you are safe (unless you have a personal firewall up and are actually blocking RPC traffic which is one of the first things people often open back up). There are other things using mailslots and you can find out yourself on a specific machine in a couple of ways. To find mailslots open right that second you can use handle.exe from sysinternals. A command like

handle -a | grep -i mailslot

will show you all mailslots currently open.

Here is an example of the messenger mailslot

G:\Temp>handle -a | grep -i mailslot
File STDIN:
 1574: File          \Device\Mailslot\messngr
However, just because one second you don’t have any mailslots open doesn’t mean you won’t the next second or the second after. These things are handled like files and have low overhead so are easy to open and close. If you know for sure you aren’t using mailslots, just fire up filemon (again from sysinternals.com) and tell it to only show mailslots. I did that on a Windows XP SP2 machine and on a Windows Server 2003 SP1 DC, both machines patched up to everything as of a week ago and both showed mailslot activity outside of the messenger service. It appears to be old NETLOGON type functions… The mailslot names are things like

\\.\mailslot\NET\GETDC042 

\\.\mailslot\NET\GETDC963 

\\.\mailslot\NET\GETDC465

\\.\mailslot\NET\GETDC706

These were mailslots that were being created and deleted on the fly. How much exposure does that give you? I don’t know, I haven’t done a comprehensive examination of it, I just happened to take a peek because I recall how heavily used MailSlots used to be used and I know that there is a lot of legacy code doing thing a lot of MSFT people aren’t aware of.

There is another critical but doesn’t have the same impact that I care about generally, it is with the DHCP Client service and involves sending specially formed bad responses to a client who sends DHCP requests. I am more of a server guy and you don’t usually set servers up to be DHCP clients, some people do, but I am not one of them except in very small test environments. If you care about DHCP issues check out

http://www.microsoft.com/technet/security/Bulletin/MS06-036.mspx

 

If you want to see all of the bulletins check out

http://www.microsoft.com/technet/security/bulletin/ms06-Jul.mspx

 

All of that just to say… TEST TEST TEST!, then PATCH PATCH PATCH!

  joe

 

Rating 2.00 out of 5

Comments are closed.

[joeware – never stop exploring… :) is proudly powered by WordPress.]