Re: Microsoft Security Bulletin - MS02-011 and MS02-012
From: Russ (Russ.Cooper@RC.ON.CA)Date: 02/28/02
- Previous message: Russ: "Alert:Microsoft Security Bulletin - MS02-012"
- Next in thread: Evan Mann: "Re: Microsoft Security Bulletin - MS02-011 and MS02-012"
- Reply: Evan Mann: "Re: Microsoft Security Bulletin - MS02-011 and MS02-012"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 27 Feb 2002 23:18:31 -0500 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
After reading the two new bulletins, some may find them a bit confusing.
Both MS02-011 and MS02-012 point to the same patch when the Windows 2000
SMTP service (the one in IIS) is involved. This makes sense, if you
think about it, one patch addresses both issues.
However, MS02-011 involves a vulnerability that affects not only the
Windows 2000 SMTP Service, but also the Internet Mail Connector in
Exchange Server 5.5. As such, MS02-011 has a patch for Exchange 5.5
environments also. Further, this vulnerability involves authentication
against the SMTP service using NTLM. Since Windows 2000 Pro and Windows
XP Pro are not listed as being affected, we just have to assume they
aren't able to do the same authentication process that W2K Server can
(despite the fact they can install the ?same? SMTP Service).
MS02-012 involves a vulnerability in an SMTP command. Exchange 5.5 does
not have a problem with whatever command is vulnerable, whereas the SMTP
Service (the one in IIS) does, ergo, there's a patch there for both
Windows 2000 environments and Windows XP Pro.
If you ask me, it's the right way for Microsoft to inform us of the
issues (although they could explain this in their bulletins instead of
me here). Each issue has its own bulletin (unlike the last IE bulletin),
even if it does mean the same patch is linked by both bulletins (for
some platforms).
Hope this is as clear as mud. Of course I could be completely wrong, it
just takes too long for me to get an answer out of MSRC these days
(they're obviously very busy folks) so I'm taking a stab at explaining
this based on my own *assum*ptions.
Cheers,
Russ - NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by VeriSign - The Internet Trust Company
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Do you have 128-bit SSL encryption server security?
Get VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn
everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your intranets and authenticate your Web
site. 128-bit SSL is serious security for your online business. Get it now!
http://www.verisign.com/cgi-bin/go.cgi?a=n094765650008000
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Russ: "Alert:Microsoft Security Bulletin - MS02-012"
- Next in thread: Evan Mann: "Re: Microsoft Security Bulletin - MS02-011 and MS02-012"
- Reply: Evan Mann: "Re: Microsoft Security Bulletin - MS02-011 and MS02-012"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
