RE: Windows 2000 DCOM clients may leak sensitive information onto the network

From: Adcock, Matt (Matt.Adcockat_private)
Date: Tue Apr 02 2002 - 13:56:02 PST

Next message: Adam McKenna: "Re: SQL injection in PHPGroupware"

Previous message: dhaltermat_private: "RFC: suggestions for SSL security enhancements in Microsoft Internet Explorer"
Maybe in reply to: Todd Sabin: "Windows 2000 DCOM clients may leak sensitive information onto the network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If this is included in SRP1, it looks like Microsoft may not list fixes that
do not have security bulletins associated with them.  Q300367 is not on the
listed patches included in SRP1.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q311401&.  However,
I took a look a machine that has SRP1 and all post-SP2 hotfixes for the core
OS, IIS and IE6 installed, and ole32.dll, rpcrt4.dll and rpcss.dll are all
at versions above those mentioned in Q300367.

Thanks,
Matt

<snip>
Vendor Response:

Microsoft has been informed of this issue, and has a fix for it, but
they did not feel the risk is significant enough to warrant releasing a
hotfix.  Their knowledge base article can be found at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367

The fix is included in the Windows 2000 SRP1.
</snip>

Next message: Adam McKenna: "Re: SQL injection in PHPGroupware"
Previous message: dhaltermat_private: "RFC: suggestions for SSL security enhancements in Microsoft Internet Explorer"
Maybe in reply to: Todd Sabin: "Windows 2000 DCOM clients may leak sensitive information onto the network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 21:06:54 PST