Full Disclosure mailing list archives
Re: BAD NEWS: Microsoft Security Bulletin MS03-032
From: "Crist J. Clark" <cristjc () comcast net>
Date: Fri, 12 Sep 2003 13:59:59 -0700
On Tue, Sep 09, 2003 at 01:51:25PM -0700, Drew Copley wrote:
-----Original Message----- From: Nathan Wallwork [mailto:owen () pungent org] Sent: Tuesday, September 09, 2003 1:18 PM On Mon, 8 Sep 2003, Drew Copley wrote:The only sure way to detect this, I already wrote about [toBugtraq].That is by setting a firewall rule which blocks thedangerous mimetypestring [Content-Type: application/hta]. Everything else in theexploit can change. Just so we are clear, the firewall wouldn't tbe he right place to catch this because that string could be split by packet fragmentation, so you'd need to look for it at an application level, after the data stream has been reassembled.Yes, I mean "IPS rule" - "firewall rule" is a bit inaccurate- just a traditional term. Any IPS that does not handle fragmentation, though, has some serious problems.
s/fragmentation/fragmentation and TCP reassembly/ You'd need both, and they are different things. -- Crist J. Clark | cjclark () alum mit edu | cjclark () jhu edu http://people.freebsd.org/~cjc/ | cjc () freebsd org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- FW: BAD NEWS: Microsoft Security Bulletin MS03-032, (continued)
- FW: BAD NEWS: Microsoft Security Bulletin MS03-032 Richard M. Smith (Sep 07)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 GreyMagic Software (Sep 08)
- Re: [VulnWatch] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thomas Kristensen (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 ADBecker (Sep 08)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick FitzGerald (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thor Larholm (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nathan Wallwork (Sep 09)
- (Patch Updated) Microsoft Security Bulletin MS03-032 Jim (Sep 09)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 10)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Crist J. Clark (Sep 12)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 12)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Dimitri Limanovski (Sep 10)