Yean pretty aware that netapi32.dll is called by a lot of items, which sends the attack vector up quite a bit, but the server service was the route into both if memory serves me right, so question is why did another unauthenticated RPC error attack with that service as the route happen again when they made a fix for a similar vulnerability 2+ yrs ago..
Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2008 6:50 PM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch ? Hmm - I check MS06-040 again, and I don't think they are the same "type" of issue. The current bug is in the NetCanonicalize API - not in the Server service. It's just that the server service is a route to get to that bug - because it calls that API. But it's entirely possible for /other/ applications to also call that API. Just use Process Explorer, and see how many applications are using Netapi32.dll - I think you'll find it's a lot. Any of these /might/ also call that API, and become a vector for compromise. Cheers Ken > -----Original Message----- > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > Sent: Monday, 27 October 2008 9:28 AM > To: NT System Admin Issues > Subject: RE: Out of Cycle Critical Windows Patch ? > > According to the SDL blog, this is why this particular issue is not easy to > discover, especially using automated analysis: > http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx > > Cheers > Ken > > > -----Original Message----- > > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > > Sent: Monday, 27 October 2008 12:45 AM > > To: NT System Admin Issues > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > Yeah someone lit a fire under MSFT arse and they got with the program on > > this one, but only after they detected systems getting exploited in the > > wild. Why they didn't determine this flaw back when they patched 06-040 > > for the same type of issue we probably will never know... > > > > Z > > > > Edward E. Ziots > > Network Engineer > > Lifespan Organization > > MCSE,MCSA,MCP,Security+,Network+,CCA > > Phone: 401-639-3505 > > > > -----Original Message----- > > From: Kurt Buff [mailto:[EMAIL PROTECTED] > > Sent: Friday, October 24, 2008 8:08 PM > > To: NT System Admin Issues > > Subject: Re: Out of Cycle Critical Windows Patch ? > > > > Taking this in a slightly different direction... > > > > I told the IT Director and COO yesterday that I was patching all > > servers, and sending an email to all of the laptop users to do the > > same. > > > > They were a bit skeptical, but not only did the emails that I > > forwarded them from various lists buttress my opinion, this morning I > > got forwarded a voicemail by the IT Director, from a rep at MSFT. Gist > > of the message - MSFT is taking this extremely seriously, and you > > should patch now. > > > > Director's comments was "nice job, good of you to jump on this." > > > > Anyone else get a call like this from MSFT? It's the first time I've > > heard of them doing this, and I take it as a really good sign - MSFT > > is finally getting the real clue about this stuff. > > > > Kurt > > > > On Fri, Oct 24, 2008 at 3:52 AM, Oliver Marshall > > <[EMAIL PROTECTED]> wrote: > > > Chaps, > > > > > > The update that was sent out last night, has that caused any issues > > > elsewhere? We've had a spate of calls from users about problems today, > > > several servers which were set to auto-update for various reasons have > > > had varying levels of failure. It's mentally busy here for a Friday, > > and > > > the one thing they have in common is that all the machine rebooted for > > > an update last night. > > > > > > Is it just us ? > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
