-----BEGIN PGP SIGNED MESSAGE----- A number of people have put effort into supposedly providing "proof of concept" code or "remote test" code that allows Administrators to determine whether or not their IIS 5.0 box is, or isn't, patched against this .printer buffer overflow. No doubt Eric Schultze has been rolling his eyes repeatedly as these messages appear. In a conversation I had with Marc Maiffret about exploit code, he indicated that they (Eeye) had produced something to demonstrate the severity of the issue to Microsoft. Perfectly understandable, reproducing an issue and allowing the developers to see the potential of a vulnerability are the most important thing a discoverer can do. However, doing the same for the public-at-large is another thing. The HFCHECK.wsf script/tool from Microsoft is perfectly capable of determining whether or not a local or remote box is vulnerable to the .printer exploit. Using WMI, within an organization, an Administrator could easily determine whether some or all of his/her W2K boxen have applied the patch. Using the customization to NOTIFY.JS described in the documentation supplied with HFCHECK, an Administrator could receive an email notification of any box which failed the test. Moreover, not only will HFCHECK verify whether MS01-023 has been patched, it will also ensure that any patches a given W2K box needs have been applied, including security patches to other program sets like the OS, Exchange, whatever. So while IDS Vendors and the curious few might "need" to have sample exploit code, to suggest that same code is "needed" to allow Administrators to make a determination is, IMO, flawed thinking. With advisories from so many sources within 24 hours of the announcement of the vulnerability, you would think that everyone who should know about the problem does. Folks should also have appreciated, again by the sheer volume and speed of advisories, that this one is a big problem that needs to be acted on right away. All the exploit code does now is become the basis for actual malicious exploits, regardless of disclaimers to the contrary. Seeing may be believing, but if your security is based on vulnerabilities being proven to you (or to yourself) before you patch then your machine is likely vulnerable to several exploits right now. With Windows 2000 and WMI, its possible to avoid such questions by simply dealing with the output of the HFCHECK script quickly and regularly. http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 The threat level of this particular vulnerability (MS01-023) was, IMNSHO, entirely dictated by the availability and quality of exploit code. In the 24 hours since the advisory was published it went from Low to Extremely High. I'm not suggesting that exploit code shouldn't have been published, I am suggesting that anyone who does publish code shouldn't pretend its there for people to test their boxes or get a better appreciation of how severe the issue is. A test pre-existed the vulnerability, and its severity should be obvious to all...even folks who don't understand security. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBOvFkzhBh2Kw/l7p5AQFVXgQAqLrB0WMtub/uJUeNEJdEVpPdPm8GyU+o 78rylCPdFIRCzK79lFOsI1xmJ/212RjjMt/guqE1v80+aReX7qethXgeoyuFXkN0 5Ig4XanXyGWv3A0smTpjcOI+FbRDFXBIfpw3J7OxJ0FsEHelLOsEqD/38l6NMfhr aknnt3QBvgw= =VURy -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu May 03 2001 - 15:12:31 PDT