Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ms > 03 > 030518.html (Request Expert securityfocus.com Support)

RE: Microsoft Security Advisory MS 03-007 - Problems

From: Bill Mote <bill.mote(at)mem.com>
Date: Tue Mar 18 2003 - 13:35:03 EST


Doesn't this all come down to risk management? Are you vulnerable? How likely are you to be exploited? Weigh that against the level of effort to test and deploy the M$ sanctioned patch in your environment. If you're a yahoo.com then you may have to spend the time and the money to do the appropriate testing in a short amount of time. If you're a mom & pop organization with low traffic volume you may not have as great a risk.

The problem is in that the vulnerability allows complete control of the system. So not patching is like playing the lottery. Count each of your visitors as an auto-lotto ticket buyer. The more of 'em you sell; the more likely you are to have a winner =) If a hacker finds your site (a.k.a. our winner) you better be patched.

Bill

-----Original Message-----
From: Marc Fossi [mailto:mfossi@securityfocus.com] Sent: Tuesday, March 18, 2003 12:57 PM
To: josephdurnal@cablespeed.com
Cc: Focus-MS; mikeheitz@upshotmail.com; jgrotegut@directpointe.com Subject: Re: Microsoft Security Advisory MS 03-007 - Problems

I think that one of the most important things to remember about this patch is that if the MSNBC story is correct, MS only had 5 days or so to develop and test it. Compare that to other patches that have been released after weeks or sometimes months of development or testing.

Many of the people who have said that the patch worked ok for them seemed to have fairly vanilla installs that only ran MS software. I'm sure that MS probably tested the patch with some of the more common IIS configs (ie. OWA) before releasing it, but I don't think that they could have realistically tested the patch against other configs.

There's a strong possibility that the patch may only break IIS servers running a certain app that uses WebDAV that MS never tested. It could also be that this certain app happens to be more widely used than most people would think.

Then again, MS has released buggy patches in the past.

Do you need help?X

Overall, I think that until things are clear as to whether the patch is broken or not, people should take a look at some of the workarounds, like the one Mark Burnett posted earlier today.

Link to Mark Burnett's post in the archive: http://www.securityfocus.com/archive/88/315375

On Tue, 18 Mar 2003, Joseph Durnal wrote:

> Here is the exact text of the message - I'm not sure

Marc Fossi
Symantec Corp.
www.symantec.com


ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data! It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! http://www.spidynamics.com/mktg/sqlinjection33

ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data! It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! http://www.spidynamics.com/mktg/sqlinjection33 Received on Tue Mar 18 14:35:31 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:28 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library