XP systems continue to reboot, even with all patches installed an d native firewalling enabled
From: Mark Brown (mark.brown_at_DOCUMENTUM.COM)
Date: 09/12/03
- Previous message: Alun Jones: "Re: NetBIOS Name resolver"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Sep 2003 12:52:45 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Please forgive me if this subject has already been covered.
A small handful of systems in our company continue to reboot in response to
MSBlaster traffic. They have been patched (and we've thoroughly checked the
installed binaries to ensure they are indeed patched). In addition, the
systems all have XP's native firewalling enabled.
Even so, the systems occasionally reboot in response to intermittent stray
MSBlaster traffic that they see from infected walk-in laptops and whatnot.
This is not happening to all XP machines in our enterprise, so naturally I
looked for commonality between the afflicted ones. The only item that
stands out like a sore thumb: they all have the Aventail RAS client
installed and use it to connect to a vendor's network.
In A:B tests, uninstalling the client absolutely resolves the issue.
The important questions in my mind are:
1. Are IPSEC packets from the VPN tunnel just being shimmed in low in the
stack, and never inspected by the XP "firewall"?
2. Does the RPC patch for XP still have a vulnerability if the traffic comes
isn't plain vanilla TCP/IP?
I will explore the possibility with Aventail, but I'd be interested in
hearing from others with a similar issue. I find both possibilities
disturbing.
Kind Regards,
Mark Brown
Mark Brown
Corporate Information Security Officer
Documentum, Inc.
Office: [925] 600-5356
Mobile: [925] 580-6330
<mailto:mmark.brown@documentum.comailto:> mark.brown@documentum.com
<mailto:mark.brown@documentum.com>
---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ----
- Previous message: Alun Jones: "Re: NetBIOS Name resolver"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
