Well, TMG is Windows, right? Personally, out of an abundance of caution, I would assume the TMG server itself is also vulnerable until patched. And even when it is patched, the underlying web server would need to be patched as well unless TMG inspects encrypted traffic and has a valid signature to block attacks. (Does TMG even do this? I have never worked with it.)
I'm assuming other (non-Windows) firewalls that do IPS will get definitions here pretty quickly, but they will still have to decrypt the inbound traffic to do any good. I suspect there's a lot out there that either can't do SSL/TLS decryption or don't have it configured. Bottom line, I think ASB is on the money here. Do the public-facing machines on an emergency basis and do the rest as soon as you reasonably can. On Thu, Nov 13, 2014 at 7:20 PM, Heaton, Joseph@Wildlife < [email protected]> wrote: > What about web machines behind say, TMG? > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Andrew S. Baker > *Sent:* Wednesday, November 12, 2014 5:57 PM > *To:* ntsysadm > *Subject:* Re: [NTSysADM] MS14-066 - secure channel vulnerability > > > > There's nothing in the wild *as yet*, but given the wormable potential, I > would expect exploit code within 4-6 business days. > > > > Patch perimeter exposed systems as soon as you can, and work from there. > > > > Be advised that if a client system gets hit, it will be able to hit all > the systems that it has access to within your network. > > > > Regards, > > > > > > > > *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> > *Providing Virtual CIO Services (IT Operations & Information Security) for > the SMB market…* > > > > > > On Wed, Nov 12, 2014 at 3:06 PM, geoff taylor <[email protected]> > wrote: > > Looking for opinions on how urgent this is, and your plan of attack. > No shortage of people crying Wolf. As usual SANs is balanced and sane > recognizing the possible severe implications and yet acknowledging that a > well thought out patching approach (expedited perhaps) is the best defense. > > > > *http://preview.tinyurl.com/phz3my4 <http://preview.tinyurl.com/phz3my4> * > gt > > >
