Full Disclosure mailing list archives
RE: [inbox] Re: Potential Microsoft PCT worm (MS04-011)
From: "Exibar" <exibar () thelair com>
Date: Fri, 23 Apr 2004 19:18:47 -0400
nonononono... that advisory was different than Microsoft's in one VERY important way... this line: "....For the last few hours we have also been receiving uncorroborated anecdotal evidence from reliable sources that a working worm is being trialled on the Internet,...." implys that there is a worm released on the internet. ***VERY**** misleading if you ask me! THAT is what Gadi was referring to that caused some stir. Microsoft's alert didn't say that there was a worm being trialed on the internet. But only warned that there MAY be a worm that takes advantage of this exploit. Exibar
-----Original Message----- From: insecure [mailto:insecure () ameritech net] Sent: Friday, April 23, 2004 5:40 PM To: Gadi Evron Cc: advisories; full-disclosure () lists netsys com Subject: [inbox] Re: [Full-disclosure] Potential Microsoft PCT worm (MS04-011) Gee, the advisory from Corsaire caused a lot of panic? What was your reaction when Microsoft issued an almost identical alert about 16 hours ago? (reproduced below) Maybe a little panic is a good thing... What is this alert? - Microsoft is aware of code available on the Internet that seeks to exploit vulnerabilities addressed as part of our April 13th security updates. We are investigating the situation to help protect our customers. Specifically, the reports detail exploit code that attempts to use the IIS PCT/SSL vulnerability on servers running Internet Information Services with the Secure Socket Layer authentication enabled. This vulnerability is addressed by bulletin MS04-011. Customers who have deployed MS04-011 are not at risk from this exploit code. - Microsoft considers these reports credible and serious and continues to urge all customers to immediately install the MS4-011 update as well as the other critical updates provided on April 13th. - Customers who are still evaluating and testing MS04-011 should immediately implement the workaround steps detailed for the PCT/SSL vulnerability detailed in the MS04-011. In addition, Microsoft has published a knowledge base article KB187498 at http://support.microsoft.com/default.aspx?scid=kb;en-us;187498 which provides additional details on SSL and how to disable PCT without applying MS04-011. - We expect to see additional exploits and proof-of-concept code targeting the April 2004 security bulletin release in coming days and weeks, potentially including worm or virus examples. Gadi Evron wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You should be more careful in the future, this email message started a lot of panic and alarm. A worm is coming, we all know that! Whether today, next week or in a month, it will come. I appreciate any warning, but not one such as this. This advisory below however is not from Microsoft, and although I am sure you meant no harm, it appears to come from MS, format-wise and it might even imply so in a first glance. Non of the people I talked this over see a worm yet, so please be more careful in the future, because unless you have actual information, this advisory is nothing but mis-leading and a recycle of old information - which I am sure you didn't mean, but rather just gathered relevant information in an MS-like format for us all to benefit from. Since you claim to have the "new" exploit, how about a snort signature, for example, or more information? Sorry if I have been rude. Thank you. Gadi Evron. advisories wrote: | Potential Microsoft PCT worm (MS04-011) | | A revised exploit has been released for the PCT flaw in the last 24-hrs by | THC (THCIISSLame.c). For the last few hours we have also beenreceiving| uncorroborated anecdotal evidence from reliable sources that a working worm | is being trialled on the Internet, in preparation for imminent release. The | primary concern is that this flaw affects unpatched SSL enabled IIS servers, | which could potentially be thousands of hosts. | | The official Microsoft patch (MS04-011) is strongly recommended for | immediate application. However, for some organisations, change control and | software dependency testing have meant that there has not been enough time | to test and apply the patch widely. Additionally there have been reports of | some organisations experiencing reliability issues after applying this | patch, and so they have halted the rollout. | | As time is of the essence, an alternative to applying the patch is available | by disabling PCT. This option has been tested by Corsaire with the THC | exploit on Microsoft Windows 2000 SP4 IIS only (but we have no reason to | doubt that this approach will work just as well on the alternative MS | platforms). | | There is a Microsoft knowledgebase article that describes the full process. | Be sure to follow the instructions to the letter, otherwise there is the | risk that you will still be exposed: | http://support.microsoft.com/default.aspx?scid=kb;en-us;187498 | | | -- Background -- | | Microsoft Security Bulletin MS04-011 (Microsoft) Microsoft | http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx | | | -- Distribution -- | | This security advisory may be freely distributed, provided that it | remains unaltered and in its original form. | | | -- Disclaimer -- | | The information contained within this advisory is supplied"as-is" with| no warranties or guarantees of fitness of use or otherwise. Corsaire | accepts no responsibility for any damage caused by the use ormisuse of| this information. | | | Copyright 2004 Corsaire Limited. All rights reserved. | | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html | | - -- Email: ge () linuxbox org. Backup: ge () warp mx dk. Phone: +972-50-428610 (Cell). PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06 GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAiZGaqH6NtwbH1FARAgj5AJ9MfHDE91X/pirb9bkES7pb8+lqPQCfQUIG 1xSzEu3quaFYYkfwcd99kBk= =QP+k -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Potential Microsoft PCT worm (MS04-011) advisories (Apr 23)
- Re: Potential Microsoft PCT worm (MS04-011) Gadi Evron (Apr 23)
- Re: Potential Microsoft PCT worm (MS04-011) Gadi Evron (Apr 23)
- Re: Potential Microsoft PCT worm (MS04-011) insecure (Apr 23)
- Potential Microsoft PCT worm (MS04-011) Alerta Redsegura (Apr 23)
- RE: [inbox] Re: Potential Microsoft PCT worm (MS04-011) Exibar (Apr 23)
- Re: Potential Microsoft PCT worm (MS04-011) insecure (Apr 23)
- <Possible follow-ups>
- Re: Potential Microsoft PCT worm (MS04-011) http-equiv () excite com (Apr 23)
- RE: Potential Microsoft PCT worm (MS04-011) Tremaine Lea (Apr 23)
- RE: Potential Microsoft PCT worm (MS04-011) Alerta Redsegura (Apr 23)