'Re: Developers and Admins need to read that FAQ section.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       patchmanagement
Subject:    Re: Developers and Admins need to read that FAQ section.
From:       Arpitha D <arpi846 () gmail ! com>
Date:       2009-04-15 4:57:59
Message-ID: d57b80810904142145m4f872327k4bf5c4bc91724805 () mail ! gmail ! com
[Download RAW message or body]

Check out the answers inline, to my knowledge! hope it helps...

-A

On Wed, Apr 15, 2009 at 4:22 AM, Ben Scott <mailvortex@gmail.com> wrote:

> On Tue, Apr 14, 2009 at 5:05 PM, Susan Bradley <sbradcpa@pacbell.net>
> wrote:
> > http://support.microsoft.com/kb/956572
> > Developers and Admins need to read that FAQ section.
>
>  Thanks for the link.
>
>  I'm looking at Q/A 1 of the "FAQ for system administrators
> (Services.exe)"...
>
> "1. Does your product install services that are started by using the
> SCM framework?"
>
>  SCM = Service Control Manager, I presume.  That's pretty much all
> Windows Services, right?


*[Arpitha]  --- No. Services also run using COM infrastructure. You can
check that out by running "tasklist /svc" at cmd prompt. *
*The output also includes those services which are not running under SCM. [
SCM services can be found via services.msc]*
**

>
> "2. By default, do the services that your product installs run in the
> context of Network Service or Local Service Account?"
>
>  Okay... so am I correct in interpreting the above to mean that *ANY*
> service running as "LocalService" or "NetworkService" is vulnerable to
> MS09-012?


*[Arpitha] -- No again. But, yeah, to some extent. If the service is running
under NS or LocalService, you need to evaluate it to see whether it holds a
SYSTEM token at any point of time, by running your tests against that
service & monitoring it continuously for the tokens.*


>
>  And what about Win 2000, which doesn't have those accounts?  Does it
> apply to *any* service on Win 2000?  Or does it not apply because Win
> 2000 runs services as SYSTEM by default, so Win 2000 doesn't have that
> privilege separation in the first place?
>

*[Arpitha] -- This vulnerability is not applicable to Win2000*


>
>  Anyone know which of the four CVE bugs identified the FAQ applies
> to?  Or is it all of them?


[Arpitha] - FAQ is provided for all the bugs seperately [ COM, services.msc,
WMI]


>
>
>  Oh my aching head...
>
> -- Ben
>
> ---
> When posting or replying to messages on this list, please send all
> emails in plain text format.  HTML formatted messages will not be accepted.
>
> PatchManagement.org is hosted by Shavlik Technologies
>
> To unsubscribe send a blank email to
> leave-patchmanagement@patchmanagement.org
> If you are unable to unsubscribe via this email address, please email
> owner-patchmanagement@patchmanagement.org
>



-- 
~Arpitha

---
When posting or replying to messages on this list, please send all
emails in plain text format.  HTML formatted messages will not be accepted.

PatchManagement.org is hosted by Shavlik Technologies

To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
[Attachment #3 (text/html)]

<html><p>&nbsp;</p>
        <p>&nbsp;</p></html>
<div>Check out the answers inline, to my knowledge! hope it helps...</div>
<div> </div>
<div>-A<br><br></div>
<div class="gmail_quote">On Wed, Apr 15, 2009 at 4:22 AM, Ben Scott <span \
dir="ltr">&lt;<a href="mailto:mailvortex@gmail.com">mailvortex@gmail.com</a>&gt;</span> \
wrote:<br> <blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; \
PADDING-LEFT: 1ex" class="gmail_quote"> <div class="im">On Tue, Apr 14, 2009 at 5:05 \
PM, Susan Bradley &lt;<a \
href="mailto:sbradcpa@pacbell.net">sbradcpa@pacbell.net</a>&gt; wrote:<br>&gt; <a \
href="http://support.microsoft.com/kb/956572" \
target="_blank">http://support.microsoft.com/kb/956572</a><br> &gt; Developers and \
Admins need to read that FAQ section.<br><br></div> Thanks for the link.<br><br> \
I&#39;m looking at Q/A 1 of the &quot;FAQ for system administrators \
(Services.exe)&quot;...<br><br>&quot;1. Does your product install services that are \
started by using the<br> SCM framework?&quot;<br><br> SCM = Service Control Manager, \
I presume.  That&#39;s pretty much all<br>Windows Services, right?</blockquote> <div> \
</div> <div><em>[Arpitha]  --- No. Services also run using COM infrastructure. You \
can check that out by running &quot;tasklist /svc&quot; at cmd prompt. </em></div> \
<div><em>The output also includes those services which are not running under SCM. [ \
SCM services can be found via services.msc]</em></div> <div><em></em> </div>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; \
PADDING-LEFT: 1ex" class="gmail_quote"><span></span><br>&quot;2. By default, do the \
services that your product installs run in the<br>context of Network Service or Local \
Service Account?&quot;<br> <br> Okay... so am I correct in interpreting the above to \
mean that *ANY*<br>service running as &quot;LocalService&quot; or \
&quot;NetworkService&quot; is vulnerable to<br>MS09-012?</blockquote> <div> </div>
<div><em>[Arpitha] -- No again. But, yeah, to some extent. If the service is running \
under NS or LocalService, you need to evaluate it to see whether it holds a SYSTEM \
token at any point of time, by running your tests against that service &amp; \
monitoring it continuously for the tokens.</em></div>

<div> </div>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; \
PADDING-LEFT: 1ex" class="gmail_quote"><span></span><br> And what about Win 2000, \
which doesn&#39;t have those accounts?  Does it<br>apply to *any* service on Win \
2000?  Or does it not apply because Win<br> 2000 runs services as SYSTEM by default, \
so Win 2000 doesn&#39;t have that<br>privilege separation in the first \
place?<br></blockquote> <div> </div>
<div><em>[Arpitha] -- This vulnerability is not applicable to Win2000</em></div>
<div> </div>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; \
PADDING-LEFT: 1ex" class="gmail_quote"><span></span><br> Anyone know which of the \
four CVE bugs identified the FAQ applies<br>to?  Or is it all of them?</blockquote>

<div> </div>
<div>[Arpitha] - FAQ is provided for all the bugs seperately [ COM, services.msc, \
WMI]</div> <div> </div>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; \
PADDING-LEFT: 1ex" class="gmail_quote"><span></span><br><br> Oh my aching \
head...<br><font color="#888888"><br>-- Ben<br></font> <div>
<div></div>
<div class="h5"><br>---<br>When posting or replying to messages on this list, please \
send all<br>emails in plain text format.  HTML formatted messages will not be \
accepted.<br><br>PatchManagement.org is hosted by Shavlik Technologies<br> <br>To \
unsubscribe send a blank email to <a \
href="mailto:leave-patchmanagement@patchmanagement.org">leave-patchmanagement@patchmanagement.org</a><br>If \
you are unable to unsubscribe via this email address, please email<br> <a \
href="mailto:owner-patchmanagement@patchmanagement.org">owner-patchmanagement@patchmanagement.org</a><br></div></div></blockquote></div><br><br \
clear="all"><br>-- <br>~Arpitha<br>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic