lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: exibar at thelair.com (Exibar)
Subject: [inbox] Re: Potential Microsoft PCT worm (MS04-011)

nonononono... that advisory was different than Microsoft's in one VERY
important way... this line:  "....For the last few hours we have also been
receiving
uncorroborated anecdotal evidence from reliable sources that a working worm
is being trialled on the Internet,...."

  implys that there is a worm released on the internet.  ***VERY****
misleading if you ask me!  THAT is what Gadi was referring to that caused
some stir.

  Microsoft's alert didn't say that there was a worm being trialed on the
internet.  But only warned that there MAY be a worm that takes advantage of
this exploit.

  Exibar

> -----Original Message-----
> From: insecure [mailto:insecure@...ritech.net]
> Sent: Friday, April 23, 2004 5:40 PM
> To: Gadi Evron
> Cc: advisories; full-disclosure@...ts.netsys.com
> Subject: [inbox] Re: [Full-Disclosure] Potential Microsoft PCT worm
> (MS04-011)
>
>
> Gee, the advisory from Corsaire caused a lot of panic? What was your
> reaction when Microsoft issued an almost identical alert about 16 hours
> ago? (reproduced below)
>
> Maybe a little panic is a good thing...
>
> What is this alert?
>
> - Microsoft is aware of code available on the Internet that seeks
> to exploit
> vulnerabilities addressed as part of our April 13th security
> updates. We are
> investigating the situation to help protect our customers.  Specifically,
> the reports detail exploit code that attempts to use the IIS PCT/SSL
> vulnerability on servers running Internet Information Services with the
> Secure Socket Layer authentication enabled.  This vulnerability
> is addressed
> by bulletin MS04-011.  Customers who have deployed MS04-011 are
> not at risk
> from this exploit code.
>
> - Microsoft considers these reports credible and serious and continues to
> urge all customers to immediately install the MS4-011 update as
> well as the
> other critical updates provided on April 13th.
>
> - Customers who are still evaluating and testing MS04-011 should
> immediately
> implement the workaround steps detailed for the PCT/SSL vulnerability
> detailed in the MS04-011.  In addition, Microsoft has published a
> knowledge
> base article KB187498 at
> http://support.microsoft.com/default.aspx?scid=kb;en-us;187498  which
> provides additional details on SSL and how to disable PCT without applying
> MS04-011.
>
> - We expect to see additional exploits and proof-of-concept code targeting
> the April 2004 security bulletin release in coming days and weeks,
> potentially including worm or virus examples.
>
>
>
> Gadi Evron wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > You should be more careful in the future, this email message started a
> > lot of panic and alarm.
> >
> > A worm is coming, we all know that! Whether today, next week or in a
> > month, it will come. I appreciate any warning, but not one such as this.
> >
> > This advisory below however is not from Microsoft, and although I am
> > sure you meant no harm, it appears to come from MS, format-wise and it
> > might even imply so in a first glance.
> >
> > Non of the people I talked this over see a worm yet, so please be more
> > careful in the future, because unless you have actual information, this
> > advisory is nothing but mis-leading and a recycle of old information -
> > which I am sure you didn't mean, but rather just gathered relevant
> > information in an MS-like format for us all to benefit from.
> >
> > Since you claim to have the "new" exploit, how about a snort signature,
> > for example, or more information?
> >
> > Sorry if I have been rude.
> >
> > Thank you.
> >
> >     Gadi Evron.
> >
> >
> > advisories wrote:
> >
> > | Potential Microsoft PCT worm (MS04-011)
> > |
> > | A revised exploit has been released for the PCT flaw in the last
> > 24-hrs by
> > | THC (THCIISSLame.c). For the last few hours we have also been
> receiving
> > | uncorroborated anecdotal evidence from reliable sources that a working
> > worm
> > | is being trialled on the Internet, in preparation for imminent
> > release. The
> > | primary concern is that this flaw affects unpatched SSL enabled IIS
> > servers,
> > | which could potentially be thousands of hosts.
> > |
> > | The official Microsoft patch (MS04-011) is strongly recommended for
> > | immediate application. However, for some organisations, change
> > control and
> > | software dependency testing have meant that there has not been
> > enough time
> > | to test and apply the patch widely. Additionally there have been
> > reports of
> > | some organisations experiencing reliability issues after applying this
> > | patch, and so they have halted the rollout.
> > |
> > | As time is of the essence, an alternative to applying the patch is
> > available
> > | by disabling PCT. This option has been tested by Corsaire with the THC
> > | exploit on Microsoft Windows 2000 SP4 IIS only (but we have no
> > reason to
> > | doubt that this approach will work just as well on the alternative MS
> > | platforms).
> > |
> > | There is a Microsoft knowledgebase article that describes the full
> > process.
> > | Be sure to follow the instructions to the letter, otherwise there is
> > the
> > | risk that you will still be exposed:
> > | http://support.microsoft.com/default.aspx?scid=kb;en-us;187498
> > |
> > |
> > | -- Background --
> > |
> > | Microsoft Security Bulletin MS04-011 (Microsoft) Microsoft
> > | http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
> > |
> > |
> > | -- Distribution --
> > |
> > | This security advisory may be freely distributed, provided that it
> > | remains unaltered and in its original form.
> > |
> > |
> > | -- Disclaimer --
> > |
> > | The information contained within this advisory is supplied
> "as-is" with
> > | no warranties or guarantees of fitness of use or otherwise. Corsaire
> > | accepts no responsibility for any damage caused by the use or
> misuse of
> > | this information.
> > |
> > |
> > | Copyright 2004 Corsaire Limited. All rights reserved.
> > |
> > | _______________________________________________
> > | Full-Disclosure - We believe in it.
> > | Charter: http://lists.netsys.com/full-disclosure-charter.html
> > |
> > |
> >
> > - --
> > Email: ge@...uxbox.org. Backup: ge@...p.mx.dk.
> > Phone: +972-50-428610 (Cell).
> >
> > PGP key for attachments:
> > http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
> > ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
> > GPG key for encrypted email:
> > http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
> > ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.3 (MingW32)
> >
> > iD8DBQFAiZGaqH6NtwbH1FARAgj5AJ9MfHDE91X/pirb9bkES7pb8+lqPQCfQUIG
> > 1xSzEu3quaFYYkfwcd99kBk=
> > =QP+k
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>


Powered by blists - more mailing lists