Re: Microsoft Security Bulletin - MS02-011 and MS02-012
From: Evan Mann (emann@QUESTINC.ORG)Date: 02/28/02
- Previous message: Russ: "Administrivia #35997 - Can you help with an ADM contract?"
- Maybe in reply to: Russ: "Re: Microsoft Security Bulletin - MS02-011 and MS02-012"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Feb 2002 08:07:26 -0500 From: Evan Mann <emann@QUESTINC.ORG> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
The Exchange v5.5 patch from MS02-011 points to an Exchange 5.5 post SP4
patch that was released way back in October of 2001. I can't seem to find
anything that indicates this patch has changed since it's release date and
the release of MS02-011 which references this Exchange patch (Exchange 5.5
IMC Patch 2655.55). Is this patch infact, un-changed, and this is just
another exploit that effected the files this old Exchange 5.5 patch had
repaired back in October 2001?
-----Original Message-----
From: Russ [mailto:Russ.Cooper@RC.ON.CA]
Sent: Wednesday, February 27, 2002 11:19 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Microsoft Security Bulletin - MS02-011 and MS02-012
After reading the two new bulletins, some may find them a bit confusing.
Both MS02-011 and MS02-012 point to the same patch when the Windows 2000
SMTP service (the one in IIS) is involved. This makes sense, if you
think about it, one patch addresses both issues.
However, MS02-011 involves a vulnerability that affects not only the
Windows 2000 SMTP Service, but also the Internet Mail Connector in
Exchange Server 5.5. As such, MS02-011 has a patch for Exchange 5.5
environments also. Further, this vulnerability involves authentication
against the SMTP service using NTLM. Since Windows 2000 Pro and Windows
XP Pro are not listed as being affected, we just have to assume they
aren't able to do the same authentication process that W2K Server can
(despite the fact they can install the ?same? SMTP Service).
MS02-012 involves a vulnerability in an SMTP command. Exchange 5.5 does
not have a problem with whatever command is vulnerable, whereas the SMTP
Service (the one in IIS) does, ergo, there's a patch there for both
Windows 2000 environments and Windows XP Pro.
If you ask me, it's the right way for Microsoft to inform us of the
issues (although they could explain this in their bulletins instead of
me here). Each issue has its own bulletin (unlike the last IE bulletin),
even if it does mean the same patch is linked by both bulletins (for
some platforms).
Hope this is as clear as mud. Of course I could be completely wrong, it
just takes too long for me to get an answer out of MSRC these days
(they're obviously very busy folks) so I'm taking a stab at explaining
this based on my own *assum*ptions.
Cheers,
Russ - NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by VeriSign - The Internet Trust Company
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Do you have 128-bit SSL encryption server security?
Get VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn
everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your intranets and authenticate your Web
site. 128-bit SSL is serious security for your online business. Get it now!
http://www.verisign.com/cgi-bin/go.cgi?a=n094765650008000
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Russ: "Administrivia #35997 - Can you help with an ADM contract?"
- Maybe in reply to: Russ: "Re: Microsoft Security Bulletin - MS02-011 and MS02-012"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
