sky != falling

[Dave Aitel <dave () immunitysec com>]

I know everyone is freaking, but I don't think there's going to be a DTC 
worm. More to the point, Sinan Eren doesn't think there's going to be a 
DTC (MS05-051) worm, and if anyone knows, it's him. Even if you can 
predict  or leak VirtualAlloc() addresses, which is probably unlikely 
for anyone any time soon, there's a lot of variable in the kinds of 
machines that are vulnerable. Is that SP4 up2date? Is it slipstream? 
This bug isn't going to have a worm. I hate to step up against Marc and 
Neel, but imo, no worm.

If there IS a worm, I predict it's going to be the ms_netware bug. That 
bug is so easy (once you have a decent widechar.py - thanks bas!) that 
you can use it in buffer overflow 101 classes. The umpnp bug is a bit 
more complex, you can overwrite eip with 00XX00YY where XX and YY are 
characters from a registry key you get to pick. It's fun for the whole 
family. Do you A) spam the heap with lots of your shellcode? or B) off 
by two EIP and hope for something cool? C) find an 0day.

I got some questions from various people asking "What's the most 
important bug just released?" My answer was "Who cares? The most 
important bug is the one that will get released next month."

Has anyone noticed that Microsoft requires you to download and run a 
"validation tool" from an HTTP:// site in order to get the rollup 
patch?  It's like a dsniffer's dream come true.

-dave