Full Disclosure mailing list archives
RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From: "Drew Copley" <dcopley () eeye com>
Date: Tue, 9 Sep 2003 13:51:25 -0700
-----Original Message----- From: Nathan Wallwork [mailto:owen () pungent org] Sent: Tuesday, September 09, 2003 1:18 PM To: Drew Copley Cc: ADBecker () chmortgage com; 'GreyMagic Software'; 'Bugtraq'; full-disclosure () lists netsys com; http-equiv () excite com; 'NTBugtraq'; 'Microsoft Security Response Center'; vulnwatch () vulnwatch org Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 On Mon, 8 Sep 2003, Drew Copley wrote:The only sure way to detect this, I already wrote about [toBugtraq].That is by setting a firewall rule which blocks thedangerous mimetypestring [Content-Type: application/hta]. Everything else in theexploit can change. Just so we are clear, the firewall wouldn't tbe he right place to catch this because that string could be split by packet fragmentation, so you'd need to look for it at an application level, after the data stream has been reassembled.
Yes, I mean "IPS rule" - "firewall rule" is a bit inaccurate- just a traditional term. Any IPS that does not handle fragmentation, though, has some serious problems.
Of course, if anyone thinks it is easier to protect their browser with a proxy than fix the browser they've got other issues.
Yes, exactly. There have been a lot of inaccuracies about this bug. What should be absolutely clear to everyone is that it is a very serious security hole and users should put in a fix on their own system and the systems which they are responsible for. Any kind of "well, my AV protects me from this" is absolutely inexcusable. As Nick Fitzgerald pointed out, I don't even think there is AV which looks at server response codes. This means there is absolutely no protection offered from these products. There is a near infinite number of ways someone could write exploit code doing the same thing for this bug. There is no way AV can protect against the next virus. They don't know it exists. How can they protect against it? Beyond this, if you actually tell people you depend on this kind of solution... You are telling everyone you are vulnerable. You are telling the leagues of the security world "I have this vulnerability on my system, my browser is an open door". People, think. We are not lying and we are not incorrect about this. Those that are not ignorant of this problem have a conscience obligation to secure the systems they are in charge of. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032, (continued)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick Jacobsen (Sep 07)
- FW: BAD NEWS: Microsoft Security Bulletin MS03-032 Richard M. Smith (Sep 07)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 GreyMagic Software (Sep 08)
- Re: [VulnWatch] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thomas Kristensen (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 ADBecker (Sep 08)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick FitzGerald (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thor Larholm (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nathan Wallwork (Sep 09)
- (Patch Updated) Microsoft Security Bulletin MS03-032 Jim (Sep 09)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 10)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Crist J. Clark (Sep 12)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 12)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Dimitri Limanovski (Sep 10)