nonononono... that advisory was different than Microsoft's in one VERY important way... this line: "....For the last few hours we have also been receiving uncorroborated anecdotal evidence from reliable sources that a working worm is being trialled on the Internet,...."
implys that there is a worm released on the internet. ***VERY**** misleading if you ask me! THAT is what Gadi was referring to that caused some stir. Microsoft's alert didn't say that there was a worm being trialed on the internet. But only warned that there MAY be a worm that takes advantage of this exploit. Exibar > -----Original Message----- > From: insecure [mailto:[EMAIL PROTECTED] > Sent: Friday, April 23, 2004 5:40 PM > To: Gadi Evron > Cc: advisories; [EMAIL PROTECTED] > Subject: [inbox] Re: [Full-Disclosure] Potential Microsoft PCT worm > (MS04-011) > > > Gee, the advisory from Corsaire caused a lot of panic? What was your > reaction when Microsoft issued an almost identical alert about 16 hours > ago? (reproduced below) > > Maybe a little panic is a good thing... > > What is this alert? > > - Microsoft is aware of code available on the Internet that seeks > to exploit > vulnerabilities addressed as part of our April 13th security > updates. We are > investigating the situation to help protect our customers. Specifically, > the reports detail exploit code that attempts to use the IIS PCT/SSL > vulnerability on servers running Internet Information Services with the > Secure Socket Layer authentication enabled. This vulnerability > is addressed > by bulletin MS04-011. Customers who have deployed MS04-011 are > not at risk > from this exploit code. > > - Microsoft considers these reports credible and serious and continues to > urge all customers to immediately install the MS4-011 update as > well as the > other critical updates provided on April 13th. > > - Customers who are still evaluating and testing MS04-011 should > immediately > implement the workaround steps detailed for the PCT/SSL vulnerability > detailed in the MS04-011. In addition, Microsoft has published a > knowledge > base article KB187498 at > http://support.microsoft.com/default.aspx?scid=kb;en-us;187498 which > provides additional details on SSL and how to disable PCT without applying > MS04-011. > > - We expect to see additional exploits and proof-of-concept code targeting > the April 2004 security bulletin release in coming days and weeks, > potentially including worm or virus examples. > > > > Gadi Evron wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > You should be more careful in the future, this email message started a > > lot of panic and alarm. > > > > A worm is coming, we all know that! Whether today, next week or in a > > month, it will come. I appreciate any warning, but not one such as this. > > > > This advisory below however is not from Microsoft, and although I am > > sure you meant no harm, it appears to come from MS, format-wise and it > > might even imply so in a first glance. > > > > Non of the people I talked this over see a worm yet, so please be more > > careful in the future, because unless you have actual information, this > > advisory is nothing but mis-leading and a recycle of old information - > > which I am sure you didn't mean, but rather just gathered relevant > > information in an MS-like format for us all to benefit from. > > > > Since you claim to have the "new" exploit, how about a snort signature, > > for example, or more information? > > > > Sorry if I have been rude. > > > > Thank you. > > > > Gadi Evron. > > > > > > advisories wrote: > > > > | Potential Microsoft PCT worm (MS04-011) > > | > > | A revised exploit has been released for the PCT flaw in the last > > 24-hrs by > > | THC (THCIISSLame.c). For the last few hours we have also been > receiving > > | uncorroborated anecdotal evidence from reliable sources that a working > > worm > > | is being trialled on the Internet, in preparation for imminent > > release. The > > | primary concern is that this flaw affects unpatched SSL enabled IIS > > servers, > > | which could potentially be thousands of hosts. > > | > > | The official Microsoft patch (MS04-011) is strongly recommended for > > | immediate application. However, for some organisations, change > > control and > > | software dependency testing have meant that there has not been > > enough time > > | to test and apply the patch widely. Additionally there have been > > reports of > > | some organisations experiencing reliability issues after applying this > > | patch, and so they have halted the rollout. > > | > > | As time is of the essence, an alternative to applying the patch is > > available > > | by disabling PCT. This option has been tested by Corsaire with the THC > > | exploit on Microsoft Windows 2000 SP4 IIS only (but we have no > > reason to > > | doubt that this approach will work just as well on the alternative MS > > | platforms). > > | > > | There is a Microsoft knowledgebase article that describes the full > > process. > > | Be sure to follow the instructions to the letter, otherwise there is > > the > > | risk that you will still be exposed: > > | http://support.microsoft.com/default.aspx?scid=kb;en-us;187498 > > | > > | > > | -- Background -- > > | > > | Microsoft Security Bulletin MS04-011 (Microsoft) Microsoft > > | http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx > > | > > | > > | -- Distribution -- > > | > > | This security advisory may be freely distributed, provided that it > > | remains unaltered and in its original form. > > | > > | > > | -- Disclaimer -- > > | > > | The information contained within this advisory is supplied > "as-is" with > > | no warranties or guarantees of fitness of use or otherwise. Corsaire > > | accepts no responsibility for any damage caused by the use or > misuse of > > | this information. > > | > > | > > | Copyright 2004 Corsaire Limited. All rights reserved. > > | > > | _______________________________________________ > > | Full-Disclosure - We believe in it. > > | Charter: http://lists.netsys.com/full-disclosure-charter.html > > | > > | > > > > - -- > > Email: [EMAIL PROTECTED] Backup: [EMAIL PROTECTED] > > Phone: +972-50-428610 (Cell). > > > > PGP key for attachments: > > http://vapid.reprehensible.net/~ge/Gadi_Evron.asc > > ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06 > > GPG key for encrypted email: > > http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc > > ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450 > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.3 (MingW32) > > > > iD8DBQFAiZGaqH6NtwbH1FARAgj5AJ9MfHDE91X/pirb9bkES7pb8+lqPQCfQUIG > > 1xSzEu3quaFYYkfwcd99kBk= > > =QP+k > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
