Bugtraq mailing list archives
FW: Windows 9x? (Re: Microsoft Security Bulletin (MS00-047))
From: "Forrester, Mike" <mforrester () HSACORP NET>
Date: Mon, 31 Jul 2000 21:12:56 -0600
Microsoft did the same with bulletin MS00-036 (found by COVERT labs too). I posted this same question to NTBUGTRAQ when MS00-036 was released, but Russ didn't post it and proceeded to argue about it (which I figured would be a waste of time). I gave a bad example, but he missed the point. Now back to the point...Why didn't they post a fix or even acknowledge it this time?
From the FAQ's for MS00-036:
"The computer browser protocol is implemented on all Windows systems. Why isn't there a patch for Windows 95, Windows 98 and Windows NT 4.0 Server, Terminal Server Edition? These systems do implement the Computer Browser protocol, but we have not developed a patch to add the RefuseReset and MaximumBrowseEntries functions for these systems. The reason is because the networks in which the attack at issue here would pose the greatest risk - large networks with many users - are exactly those most unlikely to use these systems as browsers." They at least gave a reason last time even though they included their usual 'people wouldn't ever do it way that anyway' comment. Either it's a security hole or it isn't. Right? Maybe Windows Me (lol) is getting all of the attention. Mike Forrester - Systems Security Engineer High Speed Access Corp. - Denver, CO 80246 mforrester () hsacorp net - +1 303 256 2134 -----Original Message----- From: Peter W To: BUGTRAQ () SECURITYFOCUS COM Sent: 7/29/00 3:03 PM Subject: Windows 9x? (Re: Microsoft Security Bulletin (MS00-047)) COVERT says that the problem they reported also occurs on Windows 95 and Windows 98. Why are those OS'es not listed here? -Peter At 5:58pm Jul 27, 2000, Microsoft Product Security wrote:
Patch Available for "NetBIOS Name Server Protocol Spoofing" Vulnerability Originally Posted: July 27, 2000
Affected Software Versions ========================== - Microsoft Windows NT 4.0 Workstation - Microsoft Windows NT 4.0 Server - Microsoft Windows NT 4.0 Server, Enterprise Edition - Microsoft Windows NT 4.0 Server, Terminal Server Edition - Microsoft Windows 2000
Patch Availability ================== - Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23370 - Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition:Patch to be released shortly. - Windows NT 4.0 Server, Terminal Server Edition: Patch to be released shortly.
Acknowledgments =============== Microsoft thanks the following customers for working with us to protect customers: COVERT Labs at PGP Security, Inc., for reporting the unsolicited NetBIOS Name Conflict datagram issue to us. Sir Dystic of Cult of the Dead Cow for reporting the Name Release issue to us.
Current thread:
- FW: Windows 9x? (Re: Microsoft Security Bulletin (MS00-047)) Forrester, Mike (Aug 01)
- <Possible follow-ups>
- Re: Windows 9x? (Re: Microsoft Security Bulletin (MS00-047)) Patrick R. Sweeney (Aug 01)
- Re: Windows 9x? (Re: Microsoft Security Bulletin (MS00-047)) Microsoft Security Response Center (Aug 01)
- Re: Windows 9x? (Re: Microsoft Security Bulletin (MS00-047)) Ryan Fox (Aug 02)
- Re: Windows 9x? (Re: Microsoft Security Bulletin (MS00-047)) David LeBlanc (Aug 03)
- Re: Windows 9x? (Re: Microsoft Security Bulletin (MS00-047)) Ryan Fox (Aug 02)
- Re: Windows 9x? (Re: Microsoft Security Bulletin (MS00-047)) Neena Grimm (Aug 02)
- Re: Windows 9x? (Re: Microsoft Security Bulletin (MS00-047)) Russ (Aug 02)