--- Gary Flynn <[EMAIL PROTECTED]> wrote: > I'm not sure this is the right place for this but:
Yes, it is. > 1. Is there a signature to detect an HTTP response with a > content-type of application/hta in any of the network > sensor products? We've added the signature for the next XPU. Unfortunately, the signature will trigger false-positives if somebody is actually using HTA (HTML applications) within their intranets. As you say, hackers have been exploiting this, so we need to publish this signature despite this false-positive condition. We problably should have published the signature before now, but we've been looking for ways to tie it back to object instantiation within web pages. Ufortunately, there is not good way to do that, because of JavaScripting. Therefore, we are left with a simple signature that simply triggers on HTTP response "Content-Type" equal to "application/hta", which will have that false-positive problem. > 2. I notice there is a signature for the Windows RPC Messenger > overflow but I suspect it is for requests going through the > mapper on port 135. Can anyone confirm this and/or point out > a signature for direct Messenger traffic connections to high > UDP ports? We trigger correctly on high ports. We describe the problem of high-ports in the advisory we published on the Messenger bug: <http://xforce.iss.net/xforce/alerts/id/156> We explicitly tested the XPU using exploits against high-number UDP ports. Note that both our XPU and advisory came out on October 15, the same day that Microsoft issued the MS03-043 bulletin on the Messenger bug. This was long before people on bugtraq "discovered" the high-ports problem. Robert Graham Chief Scientist, ISS __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
