Full Disclosure mailing list archives
RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From: "Drew Copley" <dcopley () eeye com>
Date: Fri, 12 Sep 2003 14:18:41 -0700
-----Original Message----- From: Crist J. Clark [mailto:cristjc () comcast net] Sent: Friday, September 12, 2003 2:00 PM To: Drew Copley Cc: 'Nathan Wallwork'; 'GreyMagic Software'; 'Bugtraq'; full-disclosure () lists netsys com; http-equiv () excite com; 'NTBugtraq'; vulnwatch () vulnwatch org Subject: Re: BAD NEWS: Microsoft Security Bulletin MS03-032 On Tue, Sep 09, 2003 at 01:51:25PM -0700, Drew Copley wrote:-----Original Message----- From: Nathan Wallwork [mailto:owen () pungent org] Sent: Tuesday, September 09, 2003 1:18 PM On Mon, 8 Sep 2003, Drew Copley wrote:The only sure way to detect this, I already wrote about [toBugtraq].That is by setting a firewall rule which blocks thedangerous mimetypestring [Content-Type: application/hta]. Everything else in theexploit can change. Just so we are clear, the firewall wouldn't tbe he right place to catch this because that string could be split by packet fragmentation, so you'd need to look for it at an application level, after thedata streamhas been reassembled.Yes, I mean "IPS rule" - "firewall rule" is a bitinaccurate- just atraditional term. Any IPS that does not handlefragmentation, though,has some serious problems.s/fragmentation/fragmentation and TCP reassembly/ You'd need both, and they are different things.
Yes, you do in IPS. TCP packets can be reordered within their session and they can be fragmented as well... You can well make mincemeat of your IPS if it can not properly handle such situations. But, I am at a loss to see how this applies to this subject. Maybe I am missing something obvious. Who knows? It is Friday. Maybe in the sense that *whatever protection* one may have, one should still fix one's system. This is best practice. The most popular question I have on this is "will this workaround hurt my system". No, no it well not. This mimetype is absolutely useless, as I noted, even to running htas. I think very few have performed the workaround. BTW, safecenter.net, I believe, now has an SSL version of this attack, I believe it was, kudos to Dror Shalev... So that kind of makes the whole AV/IPS issue moot. So, case is point, why we should follow "best pratice". And, another note, we have found worms like this in the wild. What do they do? They trojanize your system with a bug that calls you to dail up 900 porn numbers. The next worst thing to posting your keylogs to the Usenet. No? Friggin spammers.
-- Crist J. Clark | cjclark () alum mit edu | cjclark () jhu edu http://people.freebsd.org/~cjc/ | cjc () freebsd org
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032, (continued)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 GreyMagic Software (Sep 08)
- Re: [VulnWatch] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thomas Kristensen (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 ADBecker (Sep 08)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick FitzGerald (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thor Larholm (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nathan Wallwork (Sep 09)
- (Patch Updated) Microsoft Security Bulletin MS03-032 Jim (Sep 09)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 10)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Crist J. Clark (Sep 12)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 12)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 GreyMagic Software (Sep 08)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Dimitri Limanovski (Sep 10)