Re: Microsoft Security Bulletin - MS02-011 and MS02-012 - again
From: Russ (Russ.Cooper@RC.ON.CA)Date: 02/28/02
- Previous message: GreyMagic Software: "IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Feb 2002 01:47:54 -0500 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Ok, I goofed. I said that MS02-011 didn't apply to Windows 2000 Pro. It
does, and it was stated as such in the original advisory, I just missed
it. It also states that Windows XP Pro was tested and found not
vulnerable to the issue.
My apologies.
Cheers,
Russ - NTBugtraq Editor
-----Original Message-----
From: Russ
Sent: Wednesday, February 27, 2002 11:19 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Microsoft Security Bulletin - MS02-011 and MS02-012
After reading the two new bulletins, some may find them a bit confusing.
Both MS02-011 and MS02-012 point to the same patch when the Windows 2000
SMTP service (the one in IIS) is involved. This makes sense, if you
think about it, one patch addresses both issues.
However, MS02-011 involves a vulnerability that affects not only the
Windows 2000 SMTP Service, but also the Internet Mail Connector in
Exchange Server 5.5. As such, MS02-011 has a patch for Exchange 5.5
environments also. Further, this vulnerability involves authentication
against the SMTP service using NTLM. Since Windows 2000 Pro and Windows
XP Pro are not listed as being affected, we just have to assume they
aren't able to do the same authentication process that W2K Server can
(despite the fact they can install the ?same? SMTP Service).
MS02-012 involves a vulnerability in an SMTP command. Exchange 5.5 does
not have a problem with whatever command is vulnerable, whereas the SMTP
Service (the one in IIS) does, ergo, there's a patch there for both
Windows 2000 environments and Windows XP Pro.
If you ask me, it's the right way for Microsoft to inform us of the
issues (although they could explain this in their bulletins instead of
me here). Each issue has its own bulletin (unlike the last IE bulletin),
even if it does mean the same patch is linked by both bulletins (for
some platforms).
Hope this is as clear as mud. Of course I could be completely wrong, it
just takes too long for me to get an answer out of MSRC these days
(they're obviously very busy folks) so I'm taking a stab at explaining
this based on my own *assum*ptions.
Cheers,
Russ - NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper
Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: GreyMagic Software: "IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
