Campus IT teams patching Windows security flaw
BERKELEY – A flaw in the Microsoft Windows operating system has left UC Berkeley IT security teams scrambling to patch thousands of PCs before online vandals can compromise them. Off-campus access to to some network ports has been shut down temporarily to ward off intruders.
Craig Lant, campus information systems security officer, said any unpatched Windows PCs on campus are potentially at risk, but so far the actual damage has been fairly limited. Although he estimated that there are "tens of thousands" of PCs on campus, he said there was no way to know how many have already been patched.
The network port shutdown, instituted Tuesday morning, has limited the ability of off-campus users to interact remotely with campus computers, including some e-mail servers. However, the disruption "hasn't been too bad, at least not as bad as I feared," Lant said. He said the efects were fairly evenly spread across campus, rather than being concentrated in certain departments.
A handful of departments or servers have been excepted from the blockage, at the request of their administrators. "As long as they have their systems under control [with patches installed], the network people have been able to do that," Lant said.
The flaw in the Windows NT, 2000 and XP operating systems, first disclosed by Microsoft Corp. two weeks ago, allows hackers to gain access to vulnerable PCs through a process know as a remote procedure call (RPC). Once connected to a vulnerable machine, a hacker can "essentially take it over and do anything they want to," Lant said, including access any information stored on the computer or corrupt its files. Networks to which a compromised machine is connected also are at risk.
Microsoft has released a software patch (available on the Microsoft website) that it promises will seal the RPC hole. Lant said users of Unix and Macintosh computers should not be affected by the RPC vulnerability, which exploits network ports and procedures used only by Windows machines.
Campus systems administrators are scanning all the networks under their control, searching for PCs that have already been compromised by the RPC exploit. "As soon as we discover a machine that's compromised, we try to take care of it before hackers can do anything with it," Lant said.
But while administrators are checking from inside the network, outside hackers are probing the campus's defenses, hunting for machines they can invade. "Scanning for the (RPC) vulnerability from off campus is pretty much continuous," Lant said. "I would estimate that virtually all campus PCs have been scanned at least once."
As a precautionary measure, IT officials shut down off-campus access to the vulnerable network ports at 6 a.m. Tuesday (8/5). The port blockage, which could last through Friday, is intended to buy system administrators additional time to secure their defenses and apply the software patch to remaining machines.
Lant had hoped to be able to limit the shutdown to just a small number of unpatched machines. However, scans late Monday night showed that there were still more than 800 vulnerable machines on campus, he said, "which was just too much to do individual blocks."
The port blocks prevent off-campus PC users from performing a number of remote access functions, including sharing files with campus users, remote desktop replication, and some e-mail access (for off-campus users trying to read mail hosted on a Microsoft Exchange e-mail server). The Socrates and UCLink e-mail systems are not affected, Lant said.
"On campus, you shouldn't see anything, because the blocks are going to go in at the borders of the campus network, " he added.
There are workarounds that could allow continued remote access in the event of temporary port closures, but Lant said they are technically complex. "If you have a support person in your department, there is a good chance they would be able to deploy something" to preserve remote access, he said.
The Microsoft software patch requires no such technical expertise, Lant said. "Applying the patch should be pretty straightforward, so people should be able to go ahead and do it on their own machine." IT officials are urging PC users to install the patch on any Windows machines they use at home as well as those at work. (Some office PC users will not be able to install the patch because of the way their machines are configured; if in doubt, check with your departmental IT support group.)
Lant said that while he had heard of some PCs experiencing problems after being patched, he believed those machines had already been compromised before the patch was applied.
Many campus units have installed software or hardware firewalls to protect their users from unauthorized access, but Lant said even those users should "absolutely" install the RPC patch. "In many cases, people using firewalls still need to access these services through the firewall, so those ports need to be opened," he said.
Further information, including instructions on installing the software patch, is available from the System
and Network Security office.