RE: Blind penetration testing

From: kesem (marty@kesem.net)
Date: 12/17/01


From: "kesem" <marty@kesem.net>
To: "Grab Raham" <grabraham@hotmail.com>, <focus-ms@securityfocus.com>
Date: Mon, 17 Dec 2001 07:51:05 -0500

Mattias,

I recently took a class on securing Cold Fusion in a MS-IIS environment and
mentioned the issue of the installation program that most s/w packages use
(particularly MS patches...)that is installed along w/ IE. I was told the
install program is available as a separate package, though I'm afraid I
cannot tell you what the specific program or download to get.

Other than that, if you need a browser (so many help files use HTM for help
docs now), try a lesser known scaled down browser that's likely to be less
exploited. After all it seems to me that haclers and crackers think it more
'fun' to try to cripple big-bad MS rather than some shareware item.
Marty

-----Original Message-----
From: Grab Raham [mailto:grabraham@hotmail.com]
Sent: Friday, December 14, 2001 6:47 PM
To: focus-ms@securityfocus.com
Subject: RE: Blind penetration testing

If it is NEVER used then it other applications would not REQUIRE it correct?
It may not be used be a human to retrieve files from the internet but other
applications installed on the server may use it to retrive files from the
internet.

-----Original Message-----
From: Mattias Nyholm [mailto:mattias.nyholm@framfab.se]
Sent: Friday, December 14, 2001 3:29 AM
To: focus-ms@securityfocus.com
Subject: MS01-058/IE patch - why is it rated critical on servers?

Hi all,

I just read MS01-058 which discusses the new patch for IE6
and IE5.5SP2. It's nice to have a cumulative patch for client systems, but
why is it rated as critical for servers as well?

We have IE installed on servers since it is required by other applications,
but is it really necessary to patch IE even on a server where it's never
used?

MS01-058 is available here:
http://www.microsoft.com/technet/security/bulletin/MS01-058.asp

Regards,

Mattias

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.



Relevant Pages

  • Re: KB917537 Failing
    ... I honestly hand patch servers... ... Windows Server 2003 Hotfix KB917537 installation failed. ... The consensus among the MVPs is that SBS'ers should reboot after patch ...
    (microsoft.public.windows.server.sbs)
  • Re: [SLE] Hotplug update vanished?
    ... > Included in the list of YOU updates was a patch for hotplug, ... > trashed that installation I think from OCing my CPU too much), ... > don't find the hotplug update from YOU on any of the servers. ...
    (SuSE)
  • Q815021 Installed or Not?
    ... I installed the hotfix yesterday to my servers and the installation went ... Qfecheck reports the hotfix as being installed. ... Critical update service is silent and the patch has been approved on my SUS ...
    (microsoft.public.security)
  • Re: KB917537 Failing
    ... I honestly hand patch servers... ... Windows Server 2003 Hotfix KB917537 installation failed. ... The consensus among the MVPs is that SBS'ers should reboot after patch ...
    (microsoft.public.windows.server.sbs)
  • Re: Security update 828749: system is damaged after installation!
    ... You can order SP4 on CD--advice here: ... > (the installation program should have warned me, ...
    (microsoft.public.security.virus)