RE: [Full-Disclosure] LSASS exploit win32 binary

From: Stuart Fox (DSL AK) (
Date: 04/30/04

  • Next message: morning_wood: "Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)"
    To: Chris Scott <>,
    Date: Fri, 30 Apr 2004 15:53:02 +1200

    For those servers that break when you apply MS04-011, there's a KB article
    that describes what to do to work around it.;EN-US;841382

    > -----Original Message-----
    > From:
    > [] On Behalf Of
    > Chris Scott
    > Sent: Thursday, 29 April 2004 4:22 p.m.
    > To:;
    > Subject: RE: [Full-Disclosure] LSASS exploit win32 binary
    > Does anyone have snort sigs or any means of defending against
    > the worms that are exploiting this? Several acquaintances of
    > mine which work for edu's are reporting their networks being
    > affected by this in a big way. They have 2k machines which
    > apparently broke when applied with the MS04-011 patch.

    Full-Disclosure - We believe in it.

  • Next message: morning_wood: "Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)"

    Relevant Pages

    • Re: problems with KB951746
      ... Do any of the four servers run *without* ISA? ... What I suspect is happening is that the patch is doing what it is supposed to do. ... If your firewall is not configured to allow DNS traffic from a random source port then your recursive DNS requests are being stopped at the firewall...and you'll get the symptoms you describe. ... It is also possible, but less likely, that your ISP's DNS servers are misconfigured and are unable to reply on odd source ports. ...
    • Best Practice re: patching multiple Sun Servers connected to a Hitachi SAN
      ... All Sun Servers are using Solaris 8 with Veritas Volume Manager 3.2 to ... Hitachi 9200 are under Veritas control and use VxFS filing system with large ... 8_recommended patch cluster with a date stamp of 4/20/2004. ... to install the patch cluster in single user mode with my mirrors detached ...
    • Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
      ... But you'd still patch either way, ... of home users who don't even know what a security patch *IS*, ... But how many organisations firewall off internal servers from ... administrators have the time to watch the IDS given the number of patches they ...
    • Re: KB917537 Failing
      ... I honestly hand patch servers... ... Windows Server 2003 Hotfix KB917537 installation failed. ... The consensus among the MVPs is that SBS'ers should reboot after patch ...
    • Re: KB917537 Failing
      ... This patch worked just fine on all my servers but it's obviously having issues with some servers. ... possible installer issue with the IIS patch ... To add insult to injury, if you hit the "Restart" button in the patch success dialog box rather than clicking "Later" and doing the restart manually, it fails to make the appropriate entry in the system log to document the reason for shutdown. ...