The full quote is: "As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. " The Index Service does not need to be running. IIS _has_ to parse the request and map it to the extension for it to be exploited. hth AD ----- Original Message ----- From: "Inman, Carey" <Inmanat_private> To: "'Meritt James'" <meritt_jamesat_private>; "kam" <kamat_private> Cc: "Amer Karim" <amerkat_private>; "VULN-DEV List" <VULN-DEVat_private> Sent: Wednesday, August 08, 2001 10:32 AM Subject: RE: CR II - winME? confirmation? (Slightly OT) > Hi, > > I would like to offer a quote from MS01-033: > > "the service would not need to be running in order for an attacker to > exploit the vulnerability." > > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ > bulletin/MS01-033.asp > > Carey > > > > -----Original Message----- > From: Meritt James [mailto:meritt_jamesat_private] > Sent: Wednesday, August 08, 2001 9:28 AM > To: kam > Cc: Amer Karim; VULN-DEV List > Subject: Re: CR II - winME? confirmation? (Slightly OT) > > > "running" or "installed"? It is my understanding that the vulnerability > exists if the files and mapping are there no matter the process state of > the IIS server. Is my understanding incorrect? > > Jim > > kam wrote: > > > > Without IIS running, an attacker has no means of exploiting the vulnerable > > file. With no access to the file, the vulnerability does not exist. If > > they're running IIS, then there is a hole which they can exploit. Even > > though it comes installed by default on 2000, it's not a risk until you > turn > > on your web services. > > > > kam > > > > ----- Original Message ----- > > From: "Amer Karim" <amerkat_private> > > To: "VULN-DEV List" <VULN-DEVat_private> > > Sent: Tuesday, August 07, 2001 10:03 AM > > Subject: Re: CR II - winME? confirmation? (Slightly OT) > > > > > Hi All, > > > > > > All the advisories about CR state that only IIS servers are vulnerable. > > > However, it's my understanding that the unchecked buffer in idq.dll was > > the > > > source of that vulnerability. If that's the case, then why have the > > > advisories not included Win2K systems (all flavours) since idq.dll is > > > installed by default as part of the indexing service on all these > > systems - > > > regardless of whether they are using the service or not? Wouldn't that > > make > > > ANY system with the indexing service on it just as vulnerable as systems > > > with IIS? Am I overlooking something obvious here? > > > > > > Regards, > > > Amer Karim > > > Nautilis Information Systems > > > e-mail: amerkat_private, mamerkat_private > > > > > > > > > > > -- > James W. Meritt, CISSP, CISA > Booz, Allen & Hamilton > phone: (410) 684-6566
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 11:40:39 PDT