Re: Alert: Microsoft Security Bulletin - MS03-039

From: Marc Maiffret (marc_at_EEYE.COM)
Date: 09/10/03

  • Next message: Russ: "Re: Alert: Microsoft Security Bulletin - MS03-039 - SP4 not listed"
    Date:         Wed, 10 Sep 2003 13:51:31 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Some insight for you all...

    The way that Microsoft patched the new RPC Part II vulnerability actually
    breaks most scanning tools looking for the first flaw.

    That is to say that if your company is using a scanning tool looking for
    MS03-026 and you have installed MS03-039 then your MS03-039 systems will be
    flagged as vulnerable, when they obviously are not.

    Since we actually found the flaw we were able to update Retina and our free
    scanning tool to correctly identify this new vulnerability, and old, without
    getting false positives. Again, last time I checked ISS, Foundstone, and a
    couple free tools (MS's old version), will incorrectly identify systems as
    vulnerable to the old flaw, with this new patch installed.

    Retina 4.9.126 and our free RPC scanner Version 1.1.0 have the correct
    checks that the rest of the scanners are going to need to "model themselves"
    after in order to accurately detect these RPC flaws. Again the free RPC
    scanner tool, with latest RPC check, can be downloaded from:
    http://www.eeye.com/html/Research/Tools/RPCDCOM.html

    Cheers,

    Signed,
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

    | -----Original Message-----
    | From: Windows NTBugtraq Mailing List
    | [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Russ
    | Sent: Wednesday, September 10, 2003 1:48 PM
    | To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    | Subject: Re: Alert: Microsoft Security Bulletin - MS03-039
    |
    |
    | I knew this was coming...
    |
    | ---------------- Original message -------------------
    | Russ,
    | I installed the patch (MS03-039). Now corporate (still running
    | scans for MS03-026) says I'm vulnerable. I know the technical
    | bulletin describes this in detail. If I understand correctly the
    | scanning tool needs to be updated. Corporate in their infinite
    | wisdom wants me to back out the MS03-039 patch. Is anyone else
    | dealing with this?
    | ---------------- Original message -------------------
    |
    | Well, I have to say that "Corporate" needs to get their head out
    | of their...well, Ok, let me be nicer.
    |
    | Given that MS03-039 is "Critical" according to Microsoft, and
    | "Needs to be applied immediately" for non-TruSecure customers
    | according to me, maybe Corporate should rethink what they are doing.
    |
    | I would not be at all surprised to hear this problem a lot,
    | particularly due to a number of MS03-026 scanning techniques being used;
    |
    | 1. File checking alone will indicate the wrong file
    | versions/hashes. Of course if they were checking for MS03-026, it
    | would make more sense to check for a version number *or higher*
    | rather than strict checking, but if you're checking hashes only
    | it can only fail.
    |
    | 2. Registry checking alone will indicate MS03-026 and MS03-039
    | are installed. MS03-039 doesn't remove or alter the registry keys
    | for KB823980 (MS03-026).
    |
    | 3. Checking for both will fail since the files will be updated
    | but the registry key is still there.
    |
    | IMO, the check should be for MS03-026, and only if that fails,
    | then a check for MS03-039 should be performed. Of course if
    | you're trying to scan thousands of machines that can make for problems.
    |
    | Finally, all of the above only applies if you're thinking all you
    | need is MS03-026. The simple fact is that you need MS03-039, now
    | that its released, forget about MS03-026 and start scanning all
    | over again.
    |
    | Then again, you could just disable DCOM and be done with it for now.
    |
    | Cheers,
    | Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
    |
    | ----
    | Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    |
    | With a growth rate exceeding 110%, the TICSA security practitioner
    | certification is one of the hottest IT credentials available.
    | And now, for
    | a limited time, you can save 33% off of the TICSA certification exam! To
    | learn more about the TICSA certification, and to register as a TICSA
    | candidate online, just go to
    |
    | http://www.trusecure.com/offer/s0100/
    |
    | ----
    |

    ----
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available.  And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to
    http://www.trusecure.com/offer/s0100/
    ----
    

  • Next message: Russ: "Re: Alert: Microsoft Security Bulletin - MS03-039 - SP4 not listed"

    Relevant Pages

    • Re: Alert: Microsoft Security Bulletin - MS03-039
      ... The way that Microsoft patched the new RPC Part II vulnerability ... Summer's Hottest Certification Just Got HOTTER! ... To learn more about the TICSA certification, ...
      (NT-Bugtraq)
    • FW: [Fwd: Re: AIM Password theft]
      ... This is just a simple exploit utilizing the Object Data vulnerability ... coupled with the GreyMagic no-script HTML ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • [Full-disclosure] MySQL.com Vulnerable To Blind SQL Injection Vulnerability
      ... MySQL.com Vulnerable To Blind SQL Injection vulnerability ... 19519e95545509b5 certification % ... Database: certification ...
      (Full-Disclosure)
    • EEYE:ALERT Free RPC/DCOM vulnerability scanning tool
      ... original vulnerability was discovered by the very talented researchers ... If you find any bugs in the tool please contact eEye Digital Security ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • EEYE:ALERT Free RPC/DCOM vulnerability scanning tool
      ... original vulnerability was discovered by the very talented researchers ... This scanning tool does NOT require administrator access. ... If you find any bugs in the tool please contact eEye Digital Security ...
      (Bugtraq)