[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4089919D.1080403@egotistical.reprehensible.net>
From: ge at egotistical.reprehensible.net (Gadi Evron)
Subject: Potential Microsoft PCT worm (MS04-011)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You should be more careful in the future, this email message started a
lot of panic and alarm.
A worm is coming, we all know that! Whether today, next week or in a
month, it will come. I appreciate any warning, but not one such as this.
This advisory below however is not from Microsoft, and although I am
sure you meant no harm, it appears to come from MS, format-wise and it
might even imply so in a first glance.
Non of the people I talked this over see a worm yet, so please be more
careful in the future, because unless you have actual information, this
advisory is nothing but mis-leading and a recycle of old information -
which I am sure you didn't mean, but rather just gathered relevant
information in an MS-like format for us all to benefit from.
Since you claim to have the "new" exploit, how about a snort signature,
for example, or more information?
Sorry if I have been rude.
Thank you.
Gadi Evron.
advisories wrote:
| Potential Microsoft PCT worm (MS04-011)
|
| A revised exploit has been released for the PCT flaw in the last 24-hrs by
| THC (THCIISSLame.c). For the last few hours we have also been receiving
| uncorroborated anecdotal evidence from reliable sources that a working
worm
| is being trialled on the Internet, in preparation for imminent
release. The
| primary concern is that this flaw affects unpatched SSL enabled IIS
servers,
| which could potentially be thousands of hosts.
|
| The official Microsoft patch (MS04-011) is strongly recommended for
| immediate application. However, for some organisations, change control and
| software dependency testing have meant that there has not been enough time
| to test and apply the patch widely. Additionally there have been
reports of
| some organisations experiencing reliability issues after applying this
| patch, and so they have halted the rollout.
|
| As time is of the essence, an alternative to applying the patch is
available
| by disabling PCT. This option has been tested by Corsaire with the THC
| exploit on Microsoft Windows 2000 SP4 IIS only (but we have no reason to
| doubt that this approach will work just as well on the alternative MS
| platforms).
|
| There is a Microsoft knowledgebase article that describes the full
process.
| Be sure to follow the instructions to the letter, otherwise there is the
| risk that you will still be exposed:
| http://support.microsoft.com/default.aspx?scid=kb;en-us;187498
|
|
| -- Background --
|
| Microsoft Security Bulletin MS04-011 (Microsoft) Microsoft
| http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
|
|
| -- Distribution --
|
| This security advisory may be freely distributed, provided that it
| remains unaltered and in its original form.
|
|
| -- Disclaimer --
|
| The information contained within this advisory is supplied "as-is" with
| no warranties or guarantees of fitness of use or otherwise. Corsaire
| accepts no responsibility for any damage caused by the use or misuse of
| this information.
|
|
| Copyright 2004 Corsaire Limited. All rights reserved.
|
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
- --
Email: ge@...uxbox.org. Backup: ge@...p.mx.dk.
Phone: +972-50-428610 (Cell).
PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email:
http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFAiZGaqH6NtwbH1FARAgj5AJ9MfHDE91X/pirb9bkES7pb8+lqPQCfQUIG
1xSzEu3quaFYYkfwcd99kBk=
=QP+k
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists