lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 9 Sep 2003 13:51:25 -0700
From: "Drew Copley" <dcopley@...e.com>
To: "'Nathan Wallwork'" <owen@...gent.org>
Cc: "'GreyMagic Software'" <security@...ymagic.com>,
   "'Bugtraq'" <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>,
   <http-equiv@...ite.com>, "'NTBugtraq'" <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>,
   <vulnwatch@...nwatch.org>
Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032




> -----Original Message-----
> From: Nathan Wallwork [mailto:owen@...gent.org] 
> Sent: Tuesday, September 09, 2003 1:18 PM
> To: Drew Copley
> Cc: ADBecker@...ortgage.com; 'GreyMagic Software'; 'Bugtraq'; 
> full-disclosure@...ts.netsys.com; http-equiv@...ite.com; 
> 'NTBugtraq'; 'Microsoft Security Response Center'; 
> vulnwatch@...nwatch.org
> Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032
> 
> 
> On Mon, 8 Sep 2003, Drew Copley wrote:
> > The only sure way to detect this, I already wrote about [to 
> Bugtraq]. 
> > That is by setting a firewall rule which blocks the 
> dangerous mimetype 
> > string
> > [Content-Type: application/hta]. Everything else in the 
> exploit can change. 
> 
> Just so we are clear, the firewall wouldn't tbe he right 
> place to catch 
> this because that string could be split by packet 
> fragmentation, so you'd 
> need to look for it at an application level, after the data stream 
> has been reassembled.  

Yes, I mean "IPS rule" - "firewall rule" is a bit inaccurate- just a
traditional term. Any IPS that does not handle fragmentation, though, has
some serious problems. 

> 
> Of course, if anyone thinks it is easier to protect their 
> browser with a 
> proxy than fix the browser they've got other issues.

Yes, exactly. 

There have been a lot of inaccuracies about this bug. What should be
absolutely clear to everyone is that it is a very serious security hole and
users should put in a fix on their own system and the systems which they are
responsible for. 

Any kind of "well, my AV protects me from this" is absolutely inexcusable.
As Nick Fitzgerald pointed out, I don't even think there is AV which looks
at server response codes. 

This means there is absolutely no protection offered from these products.

There is a near infinite number of ways someone could write exploit code
doing the same thing for this bug. There is no way AV can protect against
the next virus. They don't know it exists. How can they protect against it? 

Beyond this, if you actually tell people you depend on this kind of
solution... You are telling everyone you are vulnerable. You are telling the
leagues of the security world "I have this vulnerability on my system, my
browser is an open door". 

People, think. 

We are not lying and we are not incorrect about this.

Those that are not ignorant of this problem have a conscience obligation to
secure the systems they are in charge of. 







_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ