Um, not sure what you are saying here... Are you saying that because there are unauthenticated ways of calling the Server service, then Microsoft needs to review all the pieces of code that the server service calls, even if they aren't part of the server service itself?
(FWIW Windows Server 2008 and Vista require authentication by default to the server service, so there's one fix). I know they are doing code reviews, but as per the SDL blog, this particular issue in netapi32.dll is a particularly different one to fix. Cheers Ken > -----Original Message----- > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > Sent: Monday, 27 October 2008 11:44 AM > To: NT System Admin Issues > Subject: RE: Out of Cycle Critical Windows Patch ? > > Yean pretty aware that netapi32.dll is called by a lot of items, which > sends the attack vector up quite a bit, but the server service was the > route into both if memory serves me right, so question is why did > another unauthenticated RPC error attack with that service as the route > happen again when they made a fix for a similar vulnerability 2+ yrs > ago.. > > Z > > Edward E. Ziots > Network Engineer > Lifespan Organization > MCSE,MCSA,MCP,Security+,Network+,CCA > Phone: 401-639-3505 > -----Original Message----- > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > Sent: Sunday, October 26, 2008 6:50 PM > To: NT System Admin Issues > Subject: RE: Out of Cycle Critical Windows Patch ? > > Hmm - I check MS06-040 again, and I don't think they are the same "type" > of issue. > > The current bug is in the NetCanonicalize API - not in the Server > service. It's just that the server service is a route to get to that bug > - because it calls that API. But it's entirely possible for /other/ > applications to also call that API. Just use Process Explorer, and see > how many applications are using Netapi32.dll - I think you'll find it's > a lot. Any of these /might/ also call that API, and become a vector for > compromise. > > Cheers > Ken > > > -----Original Message----- > > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > > Sent: Monday, 27 October 2008 9:28 AM > > To: NT System Admin Issues > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > According to the SDL blog, this is why this particular issue is not > easy to > > discover, especially using automated analysis: > > http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx > > > > Cheers > > Ken > > > > > -----Original Message----- > > > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > > > Sent: Monday, 27 October 2008 12:45 AM > > > To: NT System Admin Issues > > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > > > Yeah someone lit a fire under MSFT arse and they got with the > program on > > > this one, but only after they detected systems getting exploited in > the > > > wild. Why they didn't determine this flaw back when they patched > 06-040 > > > for the same type of issue we probably will never know... > > > > > > Z > > > > > > Edward E. Ziots > > > Network Engineer > > > Lifespan Organization > > > MCSE,MCSA,MCP,Security+,Network+,CCA > > > Phone: 401-639-3505 > > > > > > -----Original Message----- > > > From: Kurt Buff [mailto:[EMAIL PROTECTED] > > > Sent: Friday, October 24, 2008 8:08 PM > > > To: NT System Admin Issues > > > Subject: Re: Out of Cycle Critical Windows Patch ? > > > > > > Taking this in a slightly different direction... > > > > > > I told the IT Director and COO yesterday that I was patching all > > > servers, and sending an email to all of the laptop users to do the > > > same. > > > > > > They were a bit skeptical, but not only did the emails that I > > > forwarded them from various lists buttress my opinion, this morning > I > > > got forwarded a voicemail by the IT Director, from a rep at MSFT. > Gist > > > of the message - MSFT is taking this extremely seriously, and you > > > should patch now. > > > > > > Director's comments was "nice job, good of you to jump on this." > > > > > > Anyone else get a call like this from MSFT? It's the first time I've > > > heard of them doing this, and I take it as a really good sign - MSFT > > > is finally getting the real clue about this stuff. > > > > > > Kurt > > > > > > On Fri, Oct 24, 2008 at 3:52 AM, Oliver Marshall > > > <[EMAIL PROTECTED]> wrote: > > > > Chaps, > > > > > > > > The update that was sent out last night, has that caused any > issues > > > > elsewhere? We've had a spate of calls from users about problems > today, > > > > several servers which were set to auto-update for various reasons > have > > > > had varying levels of failure. It's mentally busy here for a > Friday, > > > and > > > > the one thing they have in common is that all the machine rebooted > for > > > > an update last night. > > > > > > > > Is it just us ? > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
