Full Disclosure mailing list archives
Re: [VulnDiscuss] Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From: K_aneda <info-machine () magi net au>
Date: 09 Sep 2003 20:18:54 +1000
On Tue, 2003-09-09 at 15:23, Nick FitzGerald wrote:
ADBecker () chmortgage com replied to GreyMagic to "http-equiv":
<snip>
If your scanner is detecting anything, the odds are extremely high that it will be the code of a specific exploit, rather than generic exploit code as there really is no such thing in this case.... We have McAfee VirusScan 7 Ent. which caught both exploit examples at http://greymagic.com/adv/gm001-ie/Hmmmmmm -- if what you meant was simply that your scanner detects both of the exploits linked from GreyMagic's page, I suspect that you have too much blind faith in your scanner. When GreyMagic said "This is the exact same issue as ..." he did not mean that it is the same exploit. He did not even mean that the same exploit mechanism was at work. That means scanners that detect his PoC exploits will not (with the same detection code) detect exploits of this new problem. What he meant was that the exact same slothful and incomplete analysis of the problem by Microsoft as led to his exposure of flaws in a previous IE patch are at work in producing the exact same kind of flawed patch here.
From some testing I've carried out, the Norton Antivirus Corporate will
pick up the last XML created version of it, but ignores all the "disclosed" variants from this list. Thing is, they've done crazy things like this in the past. Things such as the RPC/DCOM vunerability - one of the "in the wild" exploits, when compiled on a 2000 machine using some scanners is deleted as a RPC Worm. (The signature they are using appears to be picking up on the shellcode) However when you attack the machine (and the shellcode obviously gets through memory and past its VxD hooks, or am I off on a tangent?), no antivirus alerts [obviously]. Also the local windows attack GetAd I believe it is called, the binary is labelled as a Exploit by some security scanners. Anyone who trusts their scanners that "it will save me from exploits" is obviously delusional. :) -- L. Walker <lwalker at magi dot net dot au> -- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032, (continued)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Richard M. Smith (Sep 07)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 morning_wood (Sep 08)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 http-equiv () excite com (Sep 08)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Fabio Gomes de Souza (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick Jacobsen (Sep 07)
- FW: BAD NEWS: Microsoft Security Bulletin MS03-032 Richard M. Smith (Sep 07)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 GreyMagic Software (Sep 08)
- Re: [VulnWatch] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thomas Kristensen (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 ADBecker (Sep 08)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick FitzGerald (Sep 08)
- Re: [VulnDiscuss] Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 K_aneda (Sep 09)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick FitzGerald (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thor Larholm (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nathan Wallwork (Sep 09)
- (Patch Updated) Microsoft Security Bulletin MS03-032 Jim (Sep 09)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 10)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Crist J. Clark (Sep 12)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 12)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Dimitri Limanovski (Sep 10)