Re: Microsoft Security Advisory MS 03-007 - Problems
From: Marc Fossi (mfossi@securityfocus.com)
Date: 03/18/03
- Previous message: Turner, Keith (Contractor): "RE: Microsoft Security Advisory MS 03-007 - Problems"
- In reply to: Joseph Durnal: "Re: Microsoft Security Advisory MS 03-007 - Problems"
- Next in thread: Bill Mote: "RE: Microsoft Security Advisory MS 03-007 - Problems"
- Reply: Bill Mote: "RE: Microsoft Security Advisory MS 03-007 - Problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 Mar 2003 10:56:39 -0700 (MST) From: Marc Fossi <mfossi@securityfocus.com> To: josephdurnal@cablespeed.com
I think that one of the most important things to remember about this patch
is that if the MSNBC story is correct, MS only had 5 days or so to develop
and test it. Compare that to other patches that have been released after
weeks or sometimes months of development or testing.
Many of the people who have said that the patch worked ok for them seemed
to have fairly vanilla installs that only ran MS software. I'm sure that
MS probably tested the patch with some of the more common IIS configs (ie.
OWA) before releasing it, but I don't think that they could have
realistically tested the patch against other configs.
There's a strong possibility that the patch may only break IIS servers
running a certain app that uses WebDAV that MS never tested. It could
also be that this certain app happens to be more widely used than most
people would think.
Then again, MS has released buggy patches in the past.
Overall, I think that until things are clear as to whether the patch is
broken or not, people should take a look at some of the workarounds, like
the one Mark Burnett posted earlier today.
Link to Mark Burnett's post in the archive:
http://www.securityfocus.com/archive/88/315375
On Tue, 18 Mar 2003, Joseph Durnal wrote:
> Here is the exact text of the message - I'm not sure
> if I'm allowed to include any infomation about the
> sender, so, I'm not. The best advice is to install
> the patch on a test box and test all required
> functionality before installing it in a production
> environment. My first install on a freslhly built W2K
> server did not indicate that there were any problems.
> I will try to update the group if I get more
> information.
>
> **Message Text**
> Subject: RE: Premier - Product Support Services -
> Microsoft Security Bulletin - MS03-007
> Importance: High
>
> Hi Folks,
>
> We may have identified an issue with applying the
> patch for this security issue. We currently have
> folks in Redmond working on it. Please hold off on
> applying any further patches, until further notice.
>
> As soon as I have more details, I will let you know.
>
> **End Message Text**
>
> Joseph M. Durnal
> josephdurnal@yahoo.com
Marc Fossi
Symantec Corp.
www.symantec.com
----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33
- Previous message: Turner, Keith (Contractor): "RE: Microsoft Security Advisory MS 03-007 - Problems"
- In reply to: Joseph Durnal: "Re: Microsoft Security Advisory MS 03-007 - Problems"
- Next in thread: Bill Mote: "RE: Microsoft Security Advisory MS 03-007 - Problems"
- Reply: Bill Mote: "RE: Microsoft Security Advisory MS 03-007 - Problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
