Actually, the script mapping is _NOT_ removed via the hisecweb template, even though it says it is. It is, however, removed by the security tool. If anyone knows of any way to use a template to remove the script mappings, _please_ speak up!! Thanks! AD ----- Original Message ----- From: "Ron DuFresne" <dufresneat_private> To: "Inman, Carey" <Inmanat_private> Cc: "'Meritt James'" <meritt_jamesat_private>; "kam" <kamat_private>; "Amer Karim" <amerkat_private>; "VULN-DEV List" <VULN-DEVat_private> Sent: Thursday, August 09, 2001 1:31 PM Subject: RE: CR II - winME? confirmation? (Slightly OT) > > Perhaps a better quote: > > Mitigating factors: > * The vulnerability can only be exploited if a web session can be > established with an affected server. Customers who have installed > Index Server or Index Services but not IIS would not be at risk. > This is the default case for Windows 2000 Professional. > * The vulnerability cannot be exploited if the script mappings for > Internet Data Administration (.ida) and Internet Data Query (.idq) > files are not present. The procedure for removing the mappings is > discussed in the IIS 4.0 and IIS 5.0 Security checklists, can be > automatically removed via either the High Security Template or the > Windows 2000 Internet Server Security Tool. Customers should be > aware, however, that subsequently adding or removing system > components can cause the mapping to be reinstated, as discussed in > the FAQ. > > > Thanks, > > Ron DuFresne > > > On Wed, 8 Aug 2001, Inman, Carey wrote: > > > Hi, > > > > I would like to offer a quote from MS01-033: > > > > "the service would not need to be running in order for an attacker to > > exploit the vulnerability." > > > > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ > > bulletin/MS01-033.asp > > > > Carey > > > > > > > > -----Original Message----- > > From: Meritt James [mailto:meritt_jamesat_private] > > Sent: Wednesday, August 08, 2001 9:28 AM > > To: kam > > Cc: Amer Karim; VULN-DEV List > > Subject: Re: CR II - winME? confirmation? (Slightly OT) > > > > > > "running" or "installed"? It is my understanding that the vulnerability > > exists if the files and mapping are there no matter the process state of > > the IIS server. Is my understanding incorrect? > > > > Jim > > > > kam wrote: > > > > > > Without IIS running, an attacker has no means of exploiting the vulnerable > > > file. With no access to the file, the vulnerability does not exist. If > > > they're running IIS, then there is a hole which they can exploit. Even > > > though it comes installed by default on 2000, it's not a risk until you > > turn > > > on your web services. > > > > > > kam > > > > > > ----- Original Message ----- > > > From: "Amer Karim" <amerkat_private> > > > To: "VULN-DEV List" <VULN-DEVat_private> > > > Sent: Tuesday, August 07, 2001 10:03 AM > > > Subject: Re: CR II - winME? confirmation? (Slightly OT) > > > > > > > Hi All, > > > > > > > > All the advisories about CR state that only IIS servers are vulnerable. > > > > However, it's my understanding that the unchecked buffer in idq.dll was > > > the > > > > source of that vulnerability. If that's the case, then why have the > > > > advisories not included Win2K systems (all flavours) since idq.dll is > > > > installed by default as part of the indexing service on all these > > > systems - > > > > regardless of whether they are using the service or not? Wouldn't that > > > make > > > > ANY system with the indexing service on it just as vulnerable as systems > > > > with IIS? Am I overlooking something obvious here? > > > > > > > > Regards, > > > > Amer Karim > > > > Nautilis Information Systems > > > > e-mail: amerkat_private, mamerkat_private > > > > > > > > > > > > > > > > -- > > James W. Meritt, CISSP, CISA > > Booz, Allen & Hamilton > > phone: (410) 684-6566 > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything.
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 12:08:29 PDT