Bugtraq mailing list archives

Re: Microsoft Security Bulletin (MS00-036)

From: matt () USE NET (Matt)
Date: Fri, 26 May 2000 12:46:03 -0700


On Fri, 26 May 2000, Microsoft Product Security wrote:

Affected Software Versions
==========================
 - Microsoft Windows NT 4.0 Workstation
 - Microsoft Windows NT 4.0 Server
 - Microsoft Windows NT 4.0 Server, Enterprise Edition
 - Microsoft Windows 2000 Professional
 - Microsoft Windows 2000 Server
 - Microsoft Windows 2000 Advanced Server

NOTE: Windows 95, Windows 98, and Windows NT 4.0 Server, Terminal
Server Edition, also provide an implementation of the Computer Browser
protocol. However, they are not listed as affected products because
the scenario in which these vulnerabilities could be exploited - large
networks that rely on computer browsing - are exactly the ones most
unlikely to use Windows 95, Windows 98 or Windows NT 4.0 Terminal
Servers as master browsers.


Either Win9x and NT4TSE are "affected", or they aren't. They aren't in the
"Affected Software Versions" list, but then the verbage says that they are
affected. If they are affected, a fix should be provided instead of
Microsoft making broad assumptions that their products are only being used
in certain contexts.

As a Windows 98 user, I would very much like to see a fix for these
vulnerabilities and I'm sure others would as well.


--
this band is perfect
just don't scratch the surface

Current thread:

[COVERT-2000-05] Microsoft Windows Computer Browser Reset Vulnerability COVERT Labs (May 25)
- new vulnerability in Netscape effectively disables SSL server auth Kevin Fu (May 26)
- Microsoft Security Bulletin (MS00-036) Microsoft Product Security (May 26)
  - Re: Microsoft Security Bulletin (MS00-036) Matt (May 26)
  - [TL-Security-Announce] gpm TLSA2000011-1 Katherine M. Moussouris (May 26)
  - Revision 2: Analysis of jolt2.c (MS00-029) Mikael Olsson (May 27)
- Re: [COVERT-2000-05] Microsoft Windows Computer Browser Reset Vulnerability Vladimir Dubrovin (May 26)