lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87oe7w1dr9.fsf@mid.deneb.enyo.de>
Date: Wed Aug 17 21:59:34 2005
From: fw at deneb.enyo.de (Florian Weimer)
Subject: Re: It's not that simple...

* Micheal Espinola, Jr.:

> PnP is not a show stopper when it comes to patch compatibility testing
> - especially considering the fact that the exploit allows for remote
> code execution and elevation of privilege.  Perhaps certain people
> need to learn or take a refresher course of what that exactly implies.

It doesn't exactly help that Microsoft puts random unrelated crap into
security updates and not just the fix.  This means that you have to
perform full regression tests even if something is patched that isn't
actually used on your systems.

> And I'd say it is just that simple when you consider the fact that San
> Diego County waited to install the patch *the night after* they got
> hit by the worm.  *That's* why organizations like San Diego County,
> with ~12,000 Win2k hosts, were bitten so badly.

Doesn't the exploit code need a null session?  This leads to the
question why people have 12,000 Windows boxes, 2000 or not, on their
network, many of them offering null sessions.  Especially since
disabling null sessions makes tons of other exploits (which use the
leaked data for guessing administrator passwords, for example) quite a
bit harder.  It's actually rather surprising that they had no previous
botnet experience with such a setup.  Maybe they just didn't notice.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ