Educause Security Discussion mailing list archives

Re: Vulnerability scanner for MS05-039

From: Tom Bossie <tbossie () CITADEL COM>
Date: Wed, 17 Aug 2005 12:22:08 -0500

In an effort to aid those in the notification of incidents like the one we
have encountered the past few weeks. I would like to offer the following
service. "The 2 minute Warning", it is not a commercial or sales gimmick,
and it is a free service to our customers that is also open to the public.

The Citadel 2 Minute Warning daily security news broadcast is launch-able
right from your inbox each day. It includes all the major threat warnings
and security headlines in a news radio style broadcast with links to the
full stories. Patches for most of the aforementioned vulns have been
available since Aug. 9th.

Launch Today's 2 Minute Warning:
www.citadel.com/2minutebroadcast

Please do not take this the wrong way; I am just tying to help!

Thx,
Tom Bossie
Citadel Security Software

-----Original Message-----
From: Chris Russel [mailto:russel () YORKU CA]
Sent: Wednesday, August 17, 2005 1:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Vulnerability scanner for MS05-039

On Wed, 17 Aug 2005, Robert Kerr wrote:

On Tue, 2005-08-16 at 14:17 -0500, Graham Toal wrote:

I have a *lot* of these:

445 MS04-007 SECURE:MS04-011 SECURE:MS05-039 INCONCLUSIVE [0000f203]

Any ideas what the Inconclusive means in that context?  They're all XPs.
Some of themmay not have rebooted yet despite already having received the
 patch.
(We pushed out the updates last week using SMS)


To exploit this vulnerability with XP SP1 or above valid logon
credentials are required:

http://www.microsoft.com/technet/security/advisory/899588.mspx

Seeing as the scanner doesn't have valid logon credentials it's not
possible for it to determine for sure whether such machines are patched
or not. At least that's my understanding.


Thanks, that is correct for the vast majority of the INCONCLUSIVES. I
don't like to say they are patched when I can't tell. There may be a few
vulnerable that report as inconclusive - I am waiting for more
information from some people to follow up on that.

Although rare on fast networks, in some cases it may be related to the
receive timeout.  I run it with a longer timeout than the default, you can
try "-r 1800". (yes I might change the default...)

--
Chris Russel
Manager CNS Information Security
York University, Toronto, Canada

Attachment: smime.p7s
Description:

Current thread:

Vulnerability scanner for MS05-039 Chris Russel (Aug 16)
- <Possible follow-ups>
- Re: Vulnerability scanner for MS05-039 David Taylor (Aug 16)
- Re: Vulnerability scanner for MS05-039 Graham Toal (Aug 16)
- Re: Vulnerability scanner for MS05-039 Robert Kerr (Aug 17)
- Re: Vulnerability scanner for MS05-039 Chris Russel (Aug 17)
- Re: Vulnerability scanner for MS05-039 Tom Bossie (Aug 17)