RE: Windows 2000 DCOM clients may leak sensitive information onto the network

From: Adcock, Matt (Matt.Adcock@gsccca.org)
Date: 04/02/02


From: "Adcock, Matt" <Matt.Adcock@gsccca.org>
To: "'Todd Sabin'" <tsabin@razor.bindview.com>, bugtraq@securityfocus.com
Date: Tue, 2 Apr 2002 16:56:02 -0500 

If this is included in SRP1, it looks like Microsoft may not list fixes that
do not have security bulletins associated with them. Q300367 is not on the
listed patches included in SRP1.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q311401&. However,
I took a look a machine that has SRP1 and all post-SP2 hotfixes for the core
OS, IIS and IE6 installed, and ole32.dll, rpcrt4.dll and rpcss.dll are all
at versions above those mentioned in Q300367.

Thanks,
Matt

<snip>
Vendor Response:

Microsoft has been informed of this issue, and has a fix for it, but
they did not feel the risk is significant enough to warrant releasing a
hotfix. Their knowledge base article can be found at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367

The fix is included in the Windows 2000 SRP1.
</snip>