| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 14 May 2006 01:24:53 +0100 From: "Nick Boyce" <nick.boyce@...il.com> To: bugtraq@...urityfocus.com Subject: Is MS06-018 a DoS or a system compromise ? There seems to be some confusion in MS Security Bulletin MS06-018, "Vulnerability in Microsoft Distributed Transaction Coordinator". The bulletin itself (http://www.microsoft.com/technet/security/bulletin/ms06-018.mspx) states : "An attacker could cause the Microsoft Distributed Transaction Coordinator (MSDTC) to stop responding. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests." whereas the linked download pages for both the Win2K and WinXP patches http://www.microsoft.com/downloads/details.aspx?familyid=8B98F380-0E5C-4B80-9710-95E1B35AFD83&displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=D80B43B2-727B-46B6-82D1-F2CBD916FE32&displaylang=en state : "A security issue has been identified in the Microsoft Distributed Transaction Controller service that could allow an attacker to compromise your Windows-based system and gain control over it." The related McAfee advisory (http://seclists.org/lists/bugtraq/2006/May/0215.html) states : "Exploitation can at most lead to a denial of service and therefore the risk factor is at medium." so I guess DoS is what it is ... but it would still be nice if someone in the know could confirm the download pages are wrong .... anyone from Microsoft here ? Cheers Nick Boyce -- One way to make your old car run better is to look up the price of a new model.
Powered by blists - more mailing lists