Re: CR II - winME? confirmation? (Slightly OT)

From: Michael J. Cannon (mcannon@ubiquicomm.com)
Date: 08/08/01


Message-ID: <001b01c11fa8$1a2d55b0$63409418@scooby>
From: "Michael J. Cannon" <mcannon@ubiquicomm.com>
To: "kam" <kam@aversion.net>, "Amer Karim" <amerk@telus.net>, "VULN-DEV List" <VULN-DEV@securityfocus.com>
Subject: Re: CR II - winME? confirmation? (Slightly OT)
Date: Tue, 7 Aug 2001 20:18:58 -0500

In Win2K, hit "<CTRL>-<ALT>-<DEL>" (the three-finger M$ salute), and the
System Control Panel comes up...press "<T>ask Manager" Select the
"Processes" tab, by mousing over and left-clicking it, and then press the
"Image Name" button.

Over 80% of my W2K Pro clients' desktops show 'inetinfo.exe' as a running
process, although Web Services are disabled. Many programs take advantage
of the IIS server and aren't nice enough to ask for permission (just as many
programs install IIS 4 on NT Workstation and don't ask).

Bottom line: if there's a patch for your OS version or any client you could
possibly be running (SNA Server, SQL Server, various O2K apps,
Exchange...name it, it goes on forever) apply the patch. Otherwise YOU are
responsible for the consequences.

The horrendously idiotic and unprofessional VB and VC++ developers and
"engineers" in Microsoft proper and in the M$ development community use .dll
files, such as the one Code Red exploits, and do not ask the user's
permission to do so. Granted, with the intelligence of the majority of
Windows users, it's doubtful most would be able to make an informed
decisison even if they WERE asked, but they should be asked. For instance,
if you have installed any number of IDEs or Network Intrusion Detection
software for Windows, chances are, that's where the IIS server came from.

What's REALLY stupid, is that these same developers and OS vendors ask us,
as security professionals, to keep track of their ridiculous efforts at
'software engineering,' while continuing to release the same buggy,
virtually inoperable, insecure code.

Plain English: They (including Microsoft and te Windows dev community)
release buggy, insecure code on purpose and then blame us when we can't
'secure' it. You cannot secure what was inherently insecure in the first
place.

Mike
----- Original Message -----
From: "kam" <kam@aversion.net>
To: "Amer Karim" <amerk@telus.net>; "VULN-DEV List"
<VULN-DEV@securityfocus.com>
Sent: Tuesday, August 07, 2001 12:35 PM
Subject: Re: CR II - winME? confirmation? (Slightly OT)

> Without IIS running, an attacker has no means of exploiting the vulnerable
> file. With no access to the file, the vulnerability does not exist. If
> they're running IIS, then there is a hole which they can exploit. Even
> though it comes installed by default on 2000, it's not a risk until you
turn
> on your web services.
>
> kam
>
> ----- Original Message -----
> From: "Amer Karim" <amerk@telus.net>
> To: "VULN-DEV List" <VULN-DEV@SECURITYFOCUS.COM>
> Sent: Tuesday, August 07, 2001 10:03 AM
> Subject: Re: CR II - winME? confirmation? (Slightly OT)
>
>
> > Hi All,
> >
> > All the advisories about CR state that only IIS servers are vulnerable.
> > However, it's my understanding that the unchecked buffer in idq.dll was
> the
> > source of that vulnerability. If that's the case, then why have the
> > advisories not included Win2K systems (all flavours) since idq.dll is
> > installed by default as part of the indexing service on all these
> systems -
> > regardless of whether they are using the service or not? Wouldn't that
> make
> > ANY system with the indexing service on it just as vulnerable as systems
> > with IIS? Am I overlooking something obvious here?
> >
> > Regards,
> > Amer Karim
> > Nautilis Information Systems
> > e-mail: amerk@telus.net, mamerk@hotmail.com
> >
> >
> >
>



Relevant Pages

  • Re: balloon tips
    ... In win95 I had been able to install the IIS server as part of a package called Visual InterDev - however my new XP Home OS was having none of that so I had to fork out nearly 100 pounds sterling to get XP Pro with its IIS. ... but was it the Home edition? ...
    (microsoft.public.windows.vista.general)
  • Re: Qualys
    ... IIS server. ... They take false positives ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • Re: IIS outgoing http vulnerability
    ... Do you want to allow a specific application hosted on your IIS server to ... > allow connections to specific ports. ... > founded in a vulnerability that I feel is redundant and logically ... > "Buffer overruns should be handled by a good firewall. ...
    (microsoft.public.inetserver.iis.security)
  • Re: MS IIS Lockdown tool
    ... Subject: MS IIS Lockdown tool ... I do not have a server that I dare install this on, ... If anyone wants to set this up, or has, I will happily audit the security. ... > locking an IIS server down with this then running a Nessus ...
    (Focus-Microsoft)
  • Re: VS 2003 Cannot Create Web Applications
    ... I suspect the problem is mainly focus on the IIS. ... I've met such problems before such as when install he IBM's websphere and ... httpServer which blocks the IIS server which make the VS.NET unable to ... create web projects. ...
    (microsoft.public.dotnet.framework.aspnet)