Re: Fwd: Information on MS99-022

[vanja () SIAMRELAY COM (Vanja Hrustic)]

At 10:36 PM 7/4/99 +1000, Darren Reed wrote:
> I would hazard a guess that the number of custom IDS systems in place is
> a small number, so if you compare the number of hackers who would gain
> information on how to exploit this feature and otherwise wouldn't (i.e.
> script kiddies) and weigh that against those that run custom IDS solutions,
> I think the scales will tip in favour of the script kiddies.  I say that

According to this logic, eEye shouldn't have publish their IIS4 advisory at
all. Many script kiddies got the information (and tools) on how to exploit
the vulnerability.

> because if you have your own IDS system, chances are you've built it on
> a Unix system and hence run Unix elsewhere through your firewall, etc,
> and wouldn't need to worry about this threat because you don't have IIS4.0
> on any critical systems.  Does that make some sense ?

No.

Just to clarify something (the main reason why I actually replied):

I live/work in Asia - which is the main reason why I'm not happy with the
Microsoft approach.

US/Europe/Australia are not worried about this issue. But Asia is. And I
need to deal with customers who also have IIS4. Reason enough to be worried.

Looking at the 'business side', if I need to make a 'blind' intrusion test
(no information supplied by the customer at all), how can I state that IIS4
is vulnerable or not? I can't - but the "security vendor" can. Not really
fair ;)

Regards,

Vanja