Re: Windows 98 ASN.1 Vulnerability?

From: Duncan Corps (duncancorps_at_netscape.net)
Date: 02/20/04 

Date: Fri, 20 Feb 2004 11:52:07 +0000

OK, calm down, let's look at what's happened so far. First of all;

[Greg Kujawa wrote:]
> I have read other places that supposedly Windows 98 is vulnerable to
> the recently announced Microsoft ASN.1 exploit.

... followed by;

[SFB wrote:]
> Win 98 is not affected.
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-007.asp

[Greg Kujawa wrote:]
> I know that Windows 98 isn't listed as being an affected platform.
> But nevertheless I have read on other security news boards that
> Windows 98 indeed *can* be exploited by this same method and Microsoft
> supposedly will distribute the necessary patch if the end user calls
> in and requests it.

... followed by;

[SFB wrote:]
> Bigger *sigh* then don't believe that 98 is not in the list and have
> bad dreams about it.

... followed by;

[Greg Kujawa wrote:]
> Well I just got e-mailed the Windows 98 SE version of the hotfix.

... followed by;

[SFB wrote:]
> The Hotfix for what? Stay paranoid if you want to but don't start to
> lie about things. You are refering to some forum from security focus
> http://www.securityfocus.com/archive/1/353655/2004-02-16/0 I cannot
> make anything out of this and since I am not with MS I find myself
> independent enough to judge. It is Bogus.

... and finally;

[Greg Kujawa wrote:]
> The hot fix for your issue has been packaged and placed on an HTTP
> site for you to download.
>
> WARNING: This fix is not publicly available through the Microsoft
> website as it has not gone through full Microsoft regression testing.

So, the hotfix wasn't e-mailed to you. You were just told where it could be
found, but it hasn't been fully tested yet and is not publicly available.

Sounds like everybody's telling the truth. Windows 98 (and 98SE?) and ME
*are* vulnerable (what about Windows 95?), but Microsoft aren't admitting
it yet (damned "security through obscurity" again, aaargh!) and the fix is
not available to the general public (yet?). Greg knows about this because
he didn't trust Microsoft, but SFB is following the official line and is
being deceived.

http://www.securityfocus.com/archive/1/354509/2004-02-17/2004-02-23/0 is
worrying.

On a related note, does this mean that Microsoft's security advisories
cannot be trusted to be accurate, complete and truthful? There's a lot of
danger to users if MS report vulnerabilities but pretend that some versions
of Windows aren't vulnerable just because the fix isn't ready yet.

Dunc 

-- 
   _| _ _  _  ___  _  ___
  (_| \_/ / \ \_  /-\ \ /
   Sent with Mozilla 1.6