Wednesday, August 02, 2006

DCOM - Vulnerability #1

I am starting to think DCOM is a real security hazard. Every hosting company I talk to seems afraid to touch it. The one I talked to last said disabling it can "cripple the OS". The one I talked to before that said it could be "disabled no problem". So which is it?

And by the way I didn't ask to disable DCOM. I just want it to be secure so someone can't use it to launch rogue applications like they did on my box at the last hosting company. Someone was able to launch apps that were sending spam and who knows what else (see previous topics) using DCOM.

I am not sure how they got those apps on the box in the first place - I know they were launched through DCOM however they could have been installed by other means. Was it through my app or someone internal to the organization who had access to the machine? I also find it interesting that they say they have no knowledge or understanding of my web application and I find this to be a crock of you know what since I recently found an article saying they are partnered with the company who wrote my application server. Since they are partnered up with JBoss they probably have some internal or closely related people over there who are very aware of any known hacks should they want to take this hacker action to steal my money. (Which was clearly happening for three months over there and I am not yet positive it has been resolved).

But back to DCOM.

SO whose responsibility is DCOM anyway? It's kind of an application thing. Something people use to write apps that connect to and talk to each other over the Internet and a way to launch remote applications. However it ships with the OS and so in my opinion, if a hosting company is claiming that it is going to "harden the OS" for you and manage security then security DCOM from launching rogue applications and being left unnecessarily accessible if the client is not using it is an issue that the hosting company should address.

So far not one single company I have talked to has anything about DCOM or RPC in their OS hardening policies. This is clearly a fact that hackers are taking advantage of based on my experience.

Additionally if changing DCOM settings can "cripple the OS" why is there no clear documentation from Microsoft on how to correctly secure DCOM and a more simple way to figure out what apps are using it and if it can be safely disabled on a machine where it is not needed. The documentation on the Microsoft web site is even sketchy - warning that disabling DCOM may cause problems - but not clearly defining those problems so a person can make a technical and accurate decision as to whether disabling it is the correct thing to do or not.

And as argued before, you should not be able to do something on the OS that allows you to "cripple" your machine via the user interface. I understand if you are changing registry settings or something like that. But changing security in the OS settings? What's the point of a user interface. It should have some application logic to prevent this and a way to safely back it out if they aren't going to prevent it.