RE: Microsoft Security Advisory MS 03-007 - Problems

From: Bill Mote (bill.mote@mem.com)
Date: 03/18/03

  • Next message: Jim Hull at 044: "RE: Microsoft Security Advisory MS 03-007 - Problems"
    From: "Bill Mote" <bill.mote@mem.com>
    To: "Marc Fossi" <mfossi@securityfocus.com>
    Date: Tue, 18 Mar 2003 13:35:03 -0500
    
    

    Doesn't this all come down to risk management? Are you vulnerable? How
    likely are you to be exploited? Weigh that against the level of effort to
    test and deploy the M$ sanctioned patch in your environment. If you're a
    yahoo.com then you may have to spend the time and the money to do the
    appropriate testing in a short amount of time. If you're a mom & pop
    organization with low traffic volume you may not have as great a risk.

    The problem is in that the vulnerability allows complete control of the
    system. So not patching is like playing the lottery. Count each of your
    visitors as an auto-lotto ticket buyer. The more of 'em you sell; the more
    likely you are to have a winner =) If a hacker finds your site (a.k.a. our
    winner) you better be patched.

    Bill

    -----Original Message-----
    From: Marc Fossi [mailto:mfossi@securityfocus.com]
    Sent: Tuesday, March 18, 2003 12:57 PM
    To: josephdurnal@cablespeed.com
    Cc: Focus-MS; mikeheitz@upshotmail.com; jgrotegut@directpointe.com
    Subject: Re: Microsoft Security Advisory MS 03-007 - Problems

    I think that one of the most important things to remember about this patch
    is that if the MSNBC story is correct, MS only had 5 days or so to develop
    and test it. Compare that to other patches that have been released after
    weeks or sometimes months of development or testing.

    Many of the people who have said that the patch worked ok for them seemed
    to have fairly vanilla installs that only ran MS software. I'm sure that
    MS probably tested the patch with some of the more common IIS configs (ie.
    OWA) before releasing it, but I don't think that they could have
    realistically tested the patch against other configs.

    There's a strong possibility that the patch may only break IIS servers
    running a certain app that uses WebDAV that MS never tested. It could
    also be that this certain app happens to be more widely used than most
    people would think.

    Then again, MS has released buggy patches in the past.

    Overall, I think that until things are clear as to whether the patch is
    broken or not, people should take a look at some of the workarounds, like
    the one Mark Burnett posted earlier today.

    Link to Mark Burnett's post in the archive:
    http://www.securityfocus.com/archive/88/315375

    On Tue, 18 Mar 2003, Joseph Durnal wrote:

    > Here is the exact text of the message - I'm not sure
    > if I'm allowed to include any infomation about the
    > sender, so, I'm not. The best advice is to install
    > the patch on a test box and test all required
    > functionality before installing it in a production
    > environment. My first install on a freslhly built W2K
    > server did not indicate that there were any problems.
    > I will try to update the group if I get more
    > information.
    >
    > **Message Text**
    > Subject: RE: Premier - Product Support Services -
    > Microsoft Security Bulletin - MS03-007
    > Importance: High
    >
    > Hi Folks,
    >
    > We may have identified an issue with applying the
    > patch for this security issue. We currently have
    > folks in Redmond working on it. Please hold off on
    > applying any further patches, until further notice.
    >
    > As soon as I have more details, I will let you know.
    >
    > **End Message Text**
    >
    > Joseph M. Durnal
    > josephdurnal@yahoo.com

    Marc Fossi
    Symantec Corp.
    www.symantec.com

    ----------------------------------------------------------------------
    ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
    It's as simple as placing additional SQL commands into a Web Form input
    box giving hackers complete access to all your backend systems!
    http://www.spidynamics.com/mktg/sqlinjection33

    ----------------------------------------------------------------------
    ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
    It's as simple as placing additional SQL commands into a Web Form input
    box giving hackers complete access to all your backend systems!
    http://www.spidynamics.com/mktg/sqlinjection33


  • Next message: Jim Hull at 044: "RE: Microsoft Security Advisory MS 03-007 - Problems"

    Relevant Pages

    • Re: Microsoft Security Advisory MS 03-007 - Problems
      ... My first install on a freslhly built W2K ... patch for this security issue. ... > Do you Yahoo!? ... How a Hacker Uses SQL Injection to Steal Your SQL Data! ...
      (Focus-Microsoft)
    • Confusion about versions
      ... MS02-061 patch is: 2000.80.679.0. ... Q317748 was a SQL hotfix that was not a security bulletin. ... after the first SQL patch that corrected the vulnerability Slammer ... make it easier to install. ...
      (NT-Bugtraq)
    • RE: Increasing ICMP Echo Requests
      ... SQL servers fall under the purview of security-related staff who subscribe ... Alright, if the patch works, there are no foulups, there is nothing else to ... > Well no I don't expect Joe shmoe to know this, ... > technical IT security event. ...
      (Incidents)
    • Re: Microsoft AppCenter and W32/SQLSlammer
      ... I am aware of the issue with AppCenter, and I would also like to pass ... As of late last night the AppCenter patch issue had not been ... There was a handle leak introduced into SQL in SQL Service Pack 2. ... Cisco have said very little, apart from recommending that people patch, ...
      (NT-Bugtraq)
    • Re: Patches and Updates
      ... I'm having the exact same problem, I am also running Dual CPU. ... let me install it. ... > dual CPU setup (look at the description of the patch requirement). ... >> server it says there is a patch missing for SQL but it won't load it. ...
      (microsoft.public.windows.server.sbs)