RE: Blind penetration testing

From: kesem (
Date: 12/17/01

From: "kesem" <>
To: "Grab Raham" <>, <>
Date: Mon, 17 Dec 2001 07:51:05 -0500


I recently took a class on securing Cold Fusion in a MS-IIS environment and
mentioned the issue of the installation program that most s/w packages use
(particularly MS patches...)that is installed along w/ IE. I was told the
install program is available as a separate package, though I'm afraid I
cannot tell you what the specific program or download to get.

Other than that, if you need a browser (so many help files use HTM for help
docs now), try a lesser known scaled down browser that's likely to be less
exploited. After all it seems to me that haclers and crackers think it more
'fun' to try to cripple big-bad MS rather than some shareware item.

-----Original Message-----
From: Grab Raham []
Sent: Friday, December 14, 2001 6:47 PM
Subject: RE: Blind penetration testing

If it is NEVER used then it other applications would not REQUIRE it correct?
It may not be used be a human to retrieve files from the internet but other
applications installed on the server may use it to retrive files from the

-----Original Message-----
From: Mattias Nyholm []
Sent: Friday, December 14, 2001 3:29 AM
Subject: MS01-058/IE patch - why is it rated critical on servers?

Hi all,

I just read MS01-058 which discusses the new patch for IE6
and IE5.5SP2. It's nice to have a cumulative patch for client systems, but
why is it rated as critical for servers as well?

We have IE installed on servers since it is required by other applications,
but is it really necessary to patch IE even on a server where it's never

MS01-058 is available here:



Get your FREE download of MSN Explorer at