On Mon, 21 Jun 1999, Russ wrote:
> Date: Mon, 21 Jun 1999 20:58:54 -0400
> From: Russ <[EMAIL PROTECTED]>
> To: 'Jason Axley' <[EMAIL PROTECTED]>,
> Brian Steele <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: RE: Why not NT?
>
> Boy oh boy, you folks are back in the wild west out here on Firewalls,
> eh? I'm trying very hard to be purely technical...
To keep with the west theme, you seem to have burst into this list with
guns blazing... I wasn't taking a shot at NT, although that seems to be
what you read by hearing half the conversation.
>
> To wit, Jason Axley proclaimed (albeit with seemingly no knowledge of
> the facts);
Keyword: seemingly. I know that these have "hotfixes" but many folks
don't consider hotfixes production-ready (although I think that _not_
having these is much worse than the alternative, but...) So many folks
wait for regression-tested service packs (again, not my style).
Hopefully, this won't start its own religious argument...
I also don't disagree that "properly locked down" means having all service
packs + hotfixes. Not everyone agrees, for the reason I cite above.
I was merely giving examples of the kinds of problems on NT after SP4, at
the request of Brian Steele.
>
> >Okay, NT server, "properly" locked down, SP4 installed, can still have
> >users become Administrator with at least 3 bugs:
> >
> >* KnownDLLs bug http://www.l0pht.com
> >* ScreenSaver bug http://www.cybermedia.co.in
> >* Case Sensitivity bug http://www.cybermedia.co.in
>
> 1. Dildog wasn't are of the Microsoft document which described how to
> prevent the KnownDLLs attack described by him (exploitable due to
> registry permissions on default installs, not on systems that have been
> secured using any of the modern -- less than 1 year old -- checklists).
> It was posted, at least, 8 months before the l0pht's disclosure. The
> l0pht deserves praise for bringing it to a wider audience, and for
> finding that there was a leak that could be exploited, but the fact is
> MS had already described, and recommended, how to prevent it. The
> bulletin, including a link to the fix, is at;
>
> http://www.microsoft.com/security/bulletins/ms99-006.asp
That's fine. I don't think that each needs to be "shot down" :-) in
succession since the specifics aren't at all relevant to my point. I was
simply listing examples from the NT bugs I've seen released of late.
[snip]
>
> >Bugs like this mean that there is no separation of duties since all
> >users can gain administrative privileges with no ability to control
> >it.
>
> Where'd you get this idea that there was "no ability to control it"??
I apologize for being unclear. I meant that a host with these kinds of
vulnerabilities does not have separation of duties--period. Normally, the
operating system enforces separation of duties. These types of bugs allow
users to subvert that control. I sense that you are intimating that
service packs are the way this can be controlled. That is true only once
the fix or workaround is available (as is the case for the examples I
gave--but I wasn't claiming otherwise). Other OS's have their own
equivalent vulnerabilities that create the same problem.
>
> >There are hotfixes for at least one of these, BTW, but that doesn't
> >change my original point.
>
> Which was? If you can exploit root once on a box its irrelevant that its
> been fixed? Guess you're down to a very few, if any, choices for OS, eh?
Try reading the earlier posts. The point was, that C2 or whatever
certification of an OS is meaningless when there are gaping holes in it.
This may seem like common sense logic, but I've seen many people use the
C2 certification of NT to claim that it is "better" than UNIX. I was
pointing out that there are other factors that can be more important in
sizing an OS's security than its rating (namely, # and severity of
vulnerabilities, response time for fixes, etc.) Again, this is not a
specific comment about NT--NT was the topic of discussion so the example
was geared towared it.
>
> Cheers,
> Russ - NTBugtraq Editor
> http://ntbugtraq.ntadvice.com
> full list of all MS Security Bulletins;
> http://www.microsoft.com/security/bulletins/current.asp?ID=4&Parent=1
>
-Jason
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
