Re: Article on WebDAV Vulnerability (MS03-007)
From: Karl Levinson [x y] mvp (levinson_k@despammed.com)
Date: 03/30/03
- Next message: Amit Kumar Tripathi: "Some Unidendified files on my System"
- Previous message: Karl Levinson [x y] mvp: "Re: Allow user without administrative rights to use the "computer management"?"
- In reply to: Matt Scarborough: "Re: Article on WebDAV Vulnerability (MS03-007)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com> Date: Sun, 30 Mar 2003 09:18:38 -0500
"Matt Scarborough" <vexversa@verizon.net> wrote in message
news:73l78v0b7phegcjfvubk0rht9jclimpdq8@msnews.microsoft.com...
> On Mon, 24 Mar 2003 16:34:07 -0500, Karl Levinson [x y] mvp wrote
> <#X4lw1k8CHA.2040@TK2MSFTNGP10.phx.gbl>
> > The advice from Matt Scarborough stating that URLScan does not limit URL
> > length AFAIK is not exactly correct. Nor is the advice from Microsoft
to
> The points I wanted to clarify to Russ in an e-mail that made their way
into a
> public FAQ verbatim and slightly out of context were:
Absolutely. I just didn't know how to quibble with the first sentence of
your otherwise excellent and informative post without making it look like I
was disagreeing with you personally.
> When someone is drowning, it is not a good time to teach them to swim.
Deploying
> IISLockD 2.1/URLScan 2.0, and then deploying URLScanSRP/URLScan2.5 on top
(to
> obtain Query String or URL length limits) was simply an unwarranted waste
of
> time when faced with a mutating 0-day attack.
Well, I agree that URLScan 2.5 and the related article have started getting
over the head of the average IIS administrator. However, I absolutely feel
that during the attack is the appropriate time to point out to the
administrators of the remotely compromised servers that this was their fault
for not installing URLScan. Too often, especially with the government, you
only get critical mass for quick action during a very visible attack that
management is aware of. Three weeks later, I guarantee you that this attack
is forgotten about and it's back to business as usual without running
URLScan, and remaining vulnerable to the next zero-day attack that would
otherwise have been blocked by URLScan.
That's why I personally would not have downplayed the importance of
installing URLScan as I feel has been done by NTBugTraq taking down their
NTDLL.DLL faq and Microsoft downplaying URLScan in their NTDLL.DLL
workarounds article. I think we all agree that just installing the
NTDLL.DLL patch is not as good as installing the patch plus URLScan, but I
personally don't think most people are getting that message as clearly as
they might be. Most people only go to www.microsoft.com/security when MSNBC
tells them to do so, so to me that's the time to be sure the people that
think one patch makes them secure are getting the message about defense in
depth.
- Next message: Amit Kumar Tripathi: "Some Unidendified files on my System"
- Previous message: Karl Levinson [x y] mvp: "Re: Allow user without administrative rights to use the "computer management"?"
- In reply to: Matt Scarborough: "Re: Article on WebDAV Vulnerability (MS03-007)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
