RE: CR II - winME? confirmation? (Slightly OT)

• Previous message: Thorat_private: "Re: CR II - winME? confirmation? (Slightly OT)"
• In reply to: Inman, Carey: "RE: CR II - winME? confirmation? (Slightly OT)"
• Next in thread: Ron DuFresne: "RE: CR II - winME? confirmation? (Slightly OT)"
• Next in thread: William T. Barrett: "RE: CR II - winME? confirmation? (Slightly OT)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 8 Aug 2001, Inman, Carey wrote:

> Hi,
>
> I would like to offer a quote from MS01-033:
>
> "the service would not need to be running in order for an attacker to
> exploit the vulnerability."
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/MS01-033.asp
>
> Carey

That quote was taken out of context...

The buffer overrun occurs before any indexing functionality is requested. As a
result, even though idq.dll is a component of Index Server/Indexing Service,
the service would not need to be running in order for an attacker to exploit
the vulnerability. As long as the script mapping for .idq or .ida files were
present, and the attacker were able to establish a web session, he could exploit
the vulnerability.

James was talking about IIS, not the Indexing Service. If IIS is not running,
you are not vulnerable.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

• Next message: sa7ori: "RE: Wireless Lans give EVERYONE ACCESS"
• Previous message: Thorat_private: "Re: CR II - winME? confirmation? (Slightly OT)"
• In reply to: Inman, Carey: "RE: CR II - winME? confirmation? (Slightly OT)"
• Next in thread: Ron DuFresne: "RE: CR II - winME? confirmation? (Slightly OT)"
• Next in thread: William T. Barrett: "RE: CR II - winME? confirmation? (Slightly OT)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 11:42:03 PDT