Re: MS02-045 exploit is out

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 08/27/02

Date:         Tue, 27 Aug 2002 14:01:16 -0400
From: Russ <Russ.Cooper@RC.ON.CA>

Before too many more messages;

1. SMBDie = RedButton = Wow, incredibly talented programmer. This sure was a tool we needed.

2. If RestrictAnonymous is set, non-authenticated users can't use it, any authenticated user can.

3. If you're in an environment where any old computer connected to your network can use TCP139/TCP445, set up a sniffer (Network Monitor works) and watch for the source of the traffic. Then beat that person over the head with their PC. Do that either before or after you patch your systems with MS02-045. If more testing of the patch is required, beat them a little every day until your testing is complete.

4. If you're in an environment where you have TCP139/TCP445 open to the Internet, you don't need NTBugtraq, you need Dr. Phil. Buy a $50 Linksys router and put it in front of your machine and use it to block all but those few you really want open (which doesn't include those two).

5. Randy Hinders suggests that disabling NetBIOS over TCPIP works, I'm not yet 100% convinced. Either way, it should be easier to apply the patch than disabling NetBIOS over TCPIP.

The MS Security Bulletin honestly did do a great job of explaining all of this, more people should read it more carefully.

Russ - NTBugtraq Editor