Re: [VulnDiscuss] Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032

[K_aneda <info-machine () magi net au>]

On Tue, 2003-09-09 at 15:23, Nick FitzGerald wrote:
> ADBecker () chmortgage com replied to GreyMagic to "http-equiv":

<snip>

> If your scanner is detecting anything, the odds are extremely high that 
> it will be the code of a specific exploit, rather than generic exploit 
> code as there really is no such thing in this case.
>
> > ...  We have McAfee VirusScan 7 Ent. which
> > caught both exploit examples at http://greymagic.com/adv/gm001-ie/
>
> Hmmmmmm -- if what you meant was simply that your scanner detects both 
> of the exploits linked from GreyMagic's page, I suspect that you have 
> too much blind faith in your scanner.  When GreyMagic said "This is the 
> exact same issue as ..." he did not mean that it is the same exploit.  
> He did not even mean that the same exploit mechanism was at work.  That 
> means scanners that detect his PoC exploits will not (with the same 
> detection code) detect exploits of this new problem.  What he meant was 
> that the exact same slothful and incomplete analysis of the problem by 
> Microsoft as led to his exposure of flaws in a previous IE patch are at 
> work in producing the exact same kind of flawed patch here.

> From some testing I've carried out, the Norton Antivirus Corporate will
pick up the last XML created version of it, but ignores all the
"disclosed" variants from this list.

Thing is, they've done crazy things like this in the past.  Things such
as the RPC/DCOM vunerability - one of the "in the wild" exploits, when
compiled on a 2000 machine using some scanners is deleted as a RPC
Worm.  (The signature they are using appears to be picking up on the
shellcode)

However when you attack the machine (and the shellcode obviously gets
through memory and past its VxD hooks, or am I off on a tangent?), no
antivirus alerts [obviously].

Also the local windows attack GetAd I believe it is called, the binary
is labelled as a Exploit by some security scanners.

Anyone who trusts their scanners that "it will save me from exploits" is
obviously delusional.  :)

-- 
L. Walker <lwalker at magi dot net dot au>
--
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
--


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html