Vulnerability Development mailing list archives
RE: CR II - winME? confirmation? (Slightly OT)
From: "William T. Barrett" <wtb () uhaul com>
Date: Thu, 9 Aug 2001 13:29:31 -0700
Second you should try to get in context. your qoute refers to the Indexing service not the IIS service. IIS must be running or there is nothing serviceing port 80 and therefore no way for hte exploit to work. to quote the same site: "So, if IIS is not running on my machine, Im not affected by the vulnerability? Thats correct. Even if youve installed Index Server or Indexing Service, the vulnerability could only be exploited if IIS were running" -WTB Hi, I would like to offer a quote from MS01-033: "the service would not need to be running in order for an attacker to exploit the vulnerability." http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-033.asp Carey -----Original Message----- From: Meritt James [mailto:meritt_james () bah com] Sent: Wednesday, August 08, 2001 9:28 AM To: kam Cc: Amer Karim; VULN-DEV List Subject: Re: CR II - winME? confirmation? (Slightly OT) "running" or "installed"? It is my understanding that the vulnerability exists if the files and mapping are there no matter the process state of the IIS server. Is my understanding incorrect? Jim kam wrote:
Without IIS running, an attacker has no means of exploiting the
vulnerable
file. With no access to the file, the vulnerability does not exist. If they're running IIS, then there is a hole which they can exploit. Even though it comes installed by default on 2000, it's not a risk until you
turn
on your web services. kam ----- Original Message ----- From: "Amer Karim" <amerk () telus net> To: "VULN-DEV List" <VULN-DEV () SECURITYFOCUS COM> Sent: Tuesday, August 07, 2001 10:03 AM Subject: Re: CR II - winME? confirmation? (Slightly OT)Hi All, All the advisories about CR state that only IIS servers are vulnerable. However, it's my understanding that the unchecked buffer in idq.dll wasthesource of that vulnerability. If that's the case, then why have the advisories not included Win2K systems (all flavours) since idq.dll is installed by default as part of the indexing service on all thesesystems -regardless of whether they are using the service or not? Wouldn't thatmakeANY system with the indexing service on it just as vulnerable as
systems
with IIS? Am I overlooking something obvious here? Regards, Amer Karim Nautilis Information Systems e-mail: amerk () telus net, mamerk () hotmail com
-- James W. Meritt, CISSP, CISA Booz, Allen & Hamilton phone: (410) 684-6566
Current thread:
- Re: CR II - winME? confirmation? (Slightly OT), (continued)
- Re: CR II - winME? confirmation? (Slightly OT) Enrique A. Compañ Gzz. (Aug 10)
- RE: CR II - winME? confirmation? (Slightly OT) Gregory_DeGennaro (Aug 09)
- RE: CR II - winME? confirmation? (Slightly OT) Inman, Carey (Aug 09)
- Re: CR II - winME? confirmation? (Slightly OT) Ryan Permeh (Aug 10)
- RE: CR II - winME? confirmation? (Slightly OT) Mike Duncan (Aug 10)
- RE: CR II - winME? confirmation? (Slightly OT) Matthew Leeds (Aug 10)
- Re: CR II - winME? confirmation? (Slightly OT) Thor (Aug 10)
- RE: CR II - winME? confirmation? (Slightly OT) Jonathan Rickman (Aug 10)
- RE: CR II - winME? confirmation? (Slightly OT) Ron DuFresne (Aug 10)
- Re: CR II - winME? confirmation? (Slightly OT) Thor (Aug 10)
- RE: CR II - winME? confirmation? (Slightly OT) William T. Barrett (Aug 10)