I checked this out. SANS had an emergency webcast this morning in which a lot of security engineers reviewed this bug. Few microsoft guys where there who confirmed that OWA uses its own version of WEBDAV which overrides the version which is installed by the OS. They said the version of WEBDAV in OWA is not vulnerable to this exploit. However, I'm still hunting for an exploit to test it. Obviously we don't want to upgrade OWA if it can be avoided. We don't know how stable the patch is at this point. rkt -----Original Message----- From: Sarah Kenna Groark [mailto:sarahat_private] Sent: Tuesday, March 18, 2003 4:35 PM To: Royans Tharakan; Nicolas Gregoire; Gary O'leary-Steele Cc: pen-testat_private Subject: RE: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability >Someone said that OWA is not at risk so we are not patching it for webdav. Is there a definitive statement on this somewhere? I am trying to track down for a client whether OWA is vulnerable to this and unfortunately do not have an environment where I can test it myself at the moment. Any info much appreciated. Take care, // Sarah ---------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes now! Download a free 15-day trial of VAM: http://www2.stillsecure.com/download/sf_vuln_list.html
This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 09:00:17 PST