3 Party Security Holes
From: Carboni, Mark (Mark.Carboni@FMR.COM)Date: 10/15/02
- Previous message: Luca Forattini: "Possible security vulnerability after SP3 and password protected Iomega ZIPs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Oct 2002 08:28:45 -0400 From: "Carboni, Mark" <Mark.Carboni@FMR.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Russ:
Writing you this note, with my team found yesterday while
researching a SOAP fault issue an figured I'd share this with you and maybe
the list if you think it has merit.
We run NT 4 Server and IIS 4, with all Security Patches. We have several
pieces of 3rd party software installed including:
1) Oracle Open Client 1.1.7b
2) Java 2 RT
C:\>java -version
java version "1.3.1_04"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1_04-b02)
Java HotSpot(TM) Client VM (build 1.3.1_04-b02, mixed mode)
Both of the above installs, put 'msvcrt.dll' into their respective 'bin'
directories and the system path has been modified to refer to the respective
bin directories. Oracles puts in a version 6.10.8455 (WIN2000 support type
DLL) and Java 2 RT puts in 6.0.8337, a inferior version in the system32
directory which is 6.0.8397.
Currently this is (I believe, not 100% yet) causing a MTX thread to randomly
go into 100% CPU utilization. (An on going issue that might have just popped
its head out of the background noise)
Point: MS Security patches touch main system DLLs, but the vulnerabilities
will still exist via 3rd Party Software installs. The route a hacker might
take, will be just a slight bit different.
-Mark
Principal SWE/Developer
- Previous message: Luca Forattini: "Possible security vulnerability after SP3 and password protected Iomega ZIPs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
