Also note that there is another D.O.S. capable bug that SP4 fixes if I recall correctly. It was something with referrals.
Note that there are several things that can be done to W2K AD by a bright programmer with internal access who has had a chance to sit back and think about it that can hurt AD. Some only require having an account in AD, some requiring a machine account. Won't give details here or anywhere due to social conscience and not willing to expose shit that could hurt me personally but they are there... Move to W2K3 when you can as that may help based on some of the newer docs I have seen. I agree with what everyone else has said on SP4... Test test test, then deploy. When you do have an issue, post back here or in the newsgroups so others can learn of the experience. Even if you call MS and they say, nope, no one is having that issue. I have found that they know of things but won't come fully forward with them until some minimum number of customers/people have complained. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, July 03, 2003 10:04 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DOS vulnerability Thanks Everyone for the great information. We have already begun patching the systems as a result of the information from the list. Todd Myrick -----Original Message----- From: Robert Moir [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 8:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability I'd certainly concur with the idea of using the hotfix before rushing SP4 out of the door without the usual acceptance testing but it might be worth remembering that someone who is posting from an educational establishment is in an environment where malicious attacks from within the network are not just possible, or likely, but are simply another day at the office. > -----Original Message----- > From: Tony Murray [mailto:[EMAIL PROTECTED] > Sent: 03 July 2003 12:51 > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] AD DOS vulnerability > > Given that this vulnerability can generally only be exploited through > malicious use from *within* the network (at least for most > organisations), you may want to hold off on SP4. This will depend on > your assessment of the threat in your environment. SP4 was only > released last week and it is usually prudent to wait to see if any > major bugs appear before installing it. I'm sure you remember the > problems introduced by Windows NT 4.0 SP6, which were then urgently > fixed in SP6a? > > You could always install the hotfix first and hold off a while on SP4. > > More info on this vulnerability here: > > http://www.coresecurity.com/common/showdoc.php?idx=351&idxseccion=10 > > Tony > ---------- Original Message ---------------------------------- > Wrom: NKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUC > Reply-To: [EMAIL PROTECTED] > Date: Thu, 3 Jul 2003 11:10:44 +0100 > > I received notification about a vulnerability in AD this morning - > details are at > http://support.microsoft.com/default.aspx?kbid=319709 > > It looks like the recommended fix is to upgrade my DCs to SP4. > > I was planning to wait a lot longer before I inflict SP4 on any > machines that I care about, but it looks like this might force my hand > a bit. What's everyone else doing? > > Has anyone heard of *any* problems with SP4 yet? > > -- > Steve Bennett, Systems Support > Lancaster University > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
