Full Disclosure mailing list archives
Re: Potential Microsoft PCT worm (MS04-011)
From: Gadi Evron <ge () egotistical reprehensible net>
Date: Fri, 23 Apr 2004 23:58:53 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You should be more careful in the future, this email message started a lot of panic and alarm. A worm is coming, we all know that! Whether today, next week or in a month, it will come. I appreciate any warning, but not one such as this. This advisory below however is not from Microsoft, and although I am sure you meant no harm, it appears to come from MS, format-wise and it might even imply so in a first glance. Non of the people I talked this over see a worm yet, so please be more careful in the future, because unless you have actual information, this advisory is nothing but mis-leading and a recycle of old information - which I am sure you didn't mean, but rather just gathered relevant information in an MS-like format for us all to benefit from. Since you claim to have the "new" exploit, how about a snort signature, for example, or more information? Sorry if I have been rude. Thank you. Gadi Evron. advisories wrote: | Potential Microsoft PCT worm (MS04-011) | | A revised exploit has been released for the PCT flaw in the last 24-hrs by | THC (THCIISSLame.c). For the last few hours we have also been receiving | uncorroborated anecdotal evidence from reliable sources that a working worm | is being trialled on the Internet, in preparation for imminent release. The | primary concern is that this flaw affects unpatched SSL enabled IIS servers, | which could potentially be thousands of hosts. | | The official Microsoft patch (MS04-011) is strongly recommended for | immediate application. However, for some organisations, change control and | software dependency testing have meant that there has not been enough time | to test and apply the patch widely. Additionally there have been reports of | some organisations experiencing reliability issues after applying this | patch, and so they have halted the rollout. | | As time is of the essence, an alternative to applying the patch is available | by disabling PCT. This option has been tested by Corsaire with the THC | exploit on Microsoft Windows 2000 SP4 IIS only (but we have no reason to | doubt that this approach will work just as well on the alternative MS | platforms). | | There is a Microsoft knowledgebase article that describes the full process. | Be sure to follow the instructions to the letter, otherwise there is the | risk that you will still be exposed: | http://support.microsoft.com/default.aspx?scid=kb;en-us;187498 | | | -- Background -- | | Microsoft Security Bulletin MS04-011 (Microsoft) Microsoft | http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx | | | -- Distribution -- | | This security advisory may be freely distributed, provided that it | remains unaltered and in its original form. | | | -- Disclaimer -- | | The information contained within this advisory is supplied "as-is" with | no warranties or guarantees of fitness of use or otherwise. Corsaire | accepts no responsibility for any damage caused by the use or misuse of | this information. | | | Copyright 2004 Corsaire Limited. All rights reserved. | | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html | | - -- Email: ge () linuxbox org. Backup: ge () warp mx dk. Phone: +972-50-428610 (Cell). PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06 GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAiZGaqH6NtwbH1FARAgj5AJ9MfHDE91X/pirb9bkES7pb8+lqPQCfQUIG 1xSzEu3quaFYYkfwcd99kBk= =QP+k -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Potential Microsoft PCT worm (MS04-011) advisories (Apr 23)
- Re: Potential Microsoft PCT worm (MS04-011) Gadi Evron (Apr 23)
- Re: Potential Microsoft PCT worm (MS04-011) Gadi Evron (Apr 23)
- Re: Potential Microsoft PCT worm (MS04-011) insecure (Apr 23)
- Potential Microsoft PCT worm (MS04-011) Alerta Redsegura (Apr 23)
- RE: [inbox] Re: Potential Microsoft PCT worm (MS04-011) Exibar (Apr 23)
- Re: Potential Microsoft PCT worm (MS04-011) insecure (Apr 23)
- <Possible follow-ups>
- Re: Potential Microsoft PCT worm (MS04-011) http-equiv () excite com (Apr 23)
- RE: Potential Microsoft PCT worm (MS04-011) Tremaine Lea (Apr 23)
- RE: Potential Microsoft PCT worm (MS04-011) Alerta Redsegura (Apr 23)