Ken, NO offense but I am too tired and pivved off about this to comment anymore about technical merits, or who is right or wrong. This vulnerability is attacking the same darn service that MS06-040 did, with the same result, unauthenticated remote code execution that is propagating malware, spyware and worm activity which could definitely bring networks to a halt and have a snowball effect across the next.
Like I said before, /End Thread... Moving on.. Thanks EZ Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2008 9:27 PM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch ? Nothing you are saying is in dispute here. But I still don't see any argument as to why this is the "same type" of vulnerability in 06-040 that you previously stated, or why it should have been fixed as such. That you need to spend time patching things isn't different to anyone else here. Unfortunately it's a facet of running software these days - no matter what the platform you'd be having to the same thing. So, if you are venting, then by all means vent. If you are making some claim about the technical aspects of this vulnerability or patch, then as I asked before, can you provide some information/facts/evidence/etc to substantiate that. Not that I'm doubting you per se, but I'm always looking to further my own technical knowledge (which is why I'm on this list) Cheers Ken > -----Original Message----- > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > Sent: Monday, 27 October 2008 12:08 PM > To: NT System Admin Issues > Subject: RE: Out of Cycle Critical Windows Patch ? > > Ken, > > Basically it's a juicy door for exploits, unauthenticated remote code > execution, non-authenticated access is just that, unauthenticated, no > trust, no authenticated before authorization and legitimate access. It > basically a violate of AAA security principles. Honestly, I personally > loathe any type of weak or non-existent access to systems, and we seen > it in this one that it keeps opening up the door for attacks. > > Any its pretty easy to get authenticated credentials harvested from one > exploited system and use these to wack the rest of them. A quick > exploit, dump the hashes, run em through ophcrack or jack the ripper, > and then impersonate those credentials ( hey generic dumb user) and then > run your exploit. Its about a trivial exercise. SO as for Vista and W2k8 > being a little less vulnerabile, sorry they are just as vulnerable as > the Win2k,XP, and Win2k3 boxes, when you look at them being on the same > network as the others mentioned. > > Again, it's a total pain in the preverbal keister, been up far too many > hours getting my network straight with this patch, calling for a lot of > downtime, and disrupting operations. > > Thanks M$ you guys take the cake on this one:) > > /END Thread > Z > > Edward E. Ziots > Network Engineer > Lifespan Organization > MCSE,MCSA,MCP,Security+,Network+,CCA > Phone: 401-639-3505 > > -----Original Message----- > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > Sent: Sunday, October 26, 2008 8:49 PM > To: NT System Admin Issues > Subject: RE: Out of Cycle Critical Windows Patch ? > > Um, not sure what you are saying here... > > Are you saying that because there are unauthenticated ways of calling > the Server service, then Microsoft needs to review all the pieces of > code that the server service calls, even if they aren't part of the > server service itself? > > (FWIW Windows Server 2008 and Vista require authentication by default to > the server service, so there's one fix). > > I know they are doing code reviews, but as per the SDL blog, this > particular issue in netapi32.dll is a particularly different one to fix. > > Cheers > Ken > > > -----Original Message----- > > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > > Sent: Monday, 27 October 2008 11:44 AM > > To: NT System Admin Issues > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > Yean pretty aware that netapi32.dll is called by a lot of items, which > > sends the attack vector up quite a bit, but the server service was the > > route into both if memory serves me right, so question is why did > > another unauthenticated RPC error attack with that service as the > route > > happen again when they made a fix for a similar vulnerability 2+ yrs > > ago.. > > > > Z > > > > Edward E. Ziots > > Network Engineer > > Lifespan Organization > > MCSE,MCSA,MCP,Security+,Network+,CCA > > Phone: 401-639-3505 > > -----Original Message----- > > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > > Sent: Sunday, October 26, 2008 6:50 PM > > To: NT System Admin Issues > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > Hmm - I check MS06-040 again, and I don't think they are the same > "type" > > of issue. > > > > The current bug is in the NetCanonicalize API - not in the Server > > service. It's just that the server service is a route to get to that > bug > > - because it calls that API. But it's entirely possible for /other/ > > applications to also call that API. Just use Process Explorer, and see > > how many applications are using Netapi32.dll - I think you'll find > it's > > a lot. Any of these /might/ also call that API, and become a vector > for > > compromise. > > > > Cheers > > Ken > > > > > -----Original Message----- > > > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > > > Sent: Monday, 27 October 2008 9:28 AM > > > To: NT System Admin Issues > > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > > > According to the SDL blog, this is why this particular issue is not > > easy to > > > discover, especially using automated analysis: > > > http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx > > > > > > Cheers > > > Ken > > > > > > > -----Original Message----- > > > > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, 27 October 2008 12:45 AM > > > > To: NT System Admin Issues > > > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > > > > > Yeah someone lit a fire under MSFT arse and they got with the > > program on > > > > this one, but only after they detected systems getting exploited > in > > the > > > > wild. Why they didn't determine this flaw back when they patched > > 06-040 > > > > for the same type of issue we probably will never know... > > > > > > > > Z > > > > > > > > Edward E. Ziots > > > > Network Engineer > > > > Lifespan Organization > > > > MCSE,MCSA,MCP,Security+,Network+,CCA > > > > Phone: 401-639-3505 > > > > > > > > -----Original Message----- > > > > From: Kurt Buff [mailto:[EMAIL PROTECTED] > > > > Sent: Friday, October 24, 2008 8:08 PM > > > > To: NT System Admin Issues > > > > Subject: Re: Out of Cycle Critical Windows Patch ? > > > > > > > > Taking this in a slightly different direction... > > > > > > > > I told the IT Director and COO yesterday that I was patching all > > > > servers, and sending an email to all of the laptop users to do the > > > > same. > > > > > > > > They were a bit skeptical, but not only did the emails that I > > > > forwarded them from various lists buttress my opinion, this > morning > > I > > > > got forwarded a voicemail by the IT Director, from a rep at MSFT. > > Gist > > > > of the message - MSFT is taking this extremely seriously, and you > > > > should patch now. > > > > > > > > Director's comments was "nice job, good of you to jump on this." > > > > > > > > Anyone else get a call like this from MSFT? It's the first time > I've > > > > heard of them doing this, and I take it as a really good sign - > MSFT > > > > is finally getting the real clue about this stuff. > > > > > > > > Kurt > > > > > > > > On Fri, Oct 24, 2008 at 3:52 AM, Oliver Marshall > > > > <[EMAIL PROTECTED]> wrote: > > > > > Chaps, > > > > > > > > > > The update that was sent out last night, has that caused any > > issues > > > > > elsewhere? We've had a spate of calls from users about problems > > today, > > > > > several servers which were set to auto-update for various > reasons > > have > > > > > had varying levels of failure. It's mentally busy here for a > > Friday, > > > > and > > > > > the one thing they have in common is that all the machine > rebooted > > for > > > > > an update last night. > > > > > > > > > > Is it just us ? > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
