[prev in list] [next in list] [prev in thread] [next in thread]
List: patchmanagement
Subject: RE: Microsoft Security Bulletin MS08-062 - Important
From: "Ziots, Edward" <EZiots () Lifespan ! org>
Date: 2009-07-30 14:02:37
Message-ID: CBD73348AD43344DAE3736A72831CDC90566F20F () LSCOEXCH1 ! lsmaster ! lifespan ! org
[Download RAW message or body]
Actually,
When you look at the KB closer, and then take a look at your IIS setup,
and look at the risk inheirent to your organization you might find that
the risk is not that high or negligible at all.
1) IPP must be enabled, by default in Windows 2003 with IIS 6.0 it isn't
enabled as an extension, therefore risk is mitigated.
2) How could an attacker exploit the vulnerability? (From the Kbase)
An attacker could send a specially crafted HTTP POST request to a
vulnerable web server that would cause the server to connect to a
machine controlled by the attacker acting as a printer using IPP.
(Again if you remove the POST as the available HTTP verbs to the
webserver, then the method used to exploit is not available, therefore
risk is mitigated.
3) Do you really need to use IPP, given its flaws and issues going all
the way back to IIS 5.0 on Windows 2000? I think we all would be a
little smarter about what we enable in IIS for functionality building
off the lessons of the past, less we are gluttons for punishment and
want to make the same mistakes over and over again and put the
organization/bussiness's we work for at risk. I, for one, are not of
that majority of putting business at risk.
4) There is public exploit code and attacks on going with this flaw, but
you need to look at your controls in place, and ascertain how likely
that this is going to happen in your organization/business and likewise,
again it comes down to risk management.
Plain and simple, if you aren't doing the risk assessments and
mitigations and then assessing the residual risk of these
vulnerabilities based on the controls you have in place and the
likelihood of attack and the successful compromise then you aren't
advising your businesses correctly as to what risks they are truly up
against, thus creating more work and worry and uncertainity which helps
nobody in the end.
Don: Question, which other attack vectors is the IPP ISAPI.dll if not
loaded as an extension and not loaded into inetinfo.exe or w3wp.exe
process, have within IIS? If it isn't loaded it isn't loaded, nothing
to attack if the process isn't loaded into memory, or available by any
other means, unless you could possibly get it to load by COM
Instantiation or something like that.
EZ
Edward Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
eziots@lifespan.org
Phone:401-639-3505
-----Original Message-----
From: Jarmon, Don R [mailto:Don.Jarmon@Intergraph.com]
Sent: Wednesday, July 29, 2009 12:27 PM
To: Patch Management Mailing List
Subject: RE: Microsoft Security Bulletin MS08-062 - Important
That is the problem / concern. There is a .dll with a known
vulnerability inherit to all Windows OS. Windows Update should offer
the hotfix without regards to IIS and Internet Printing status. The
.dll is subject to other attack vectors. Folks are dependent on Windows
Update reporting all's clear.
-----Original Message-----
From: Susan Bradley [mailto:sbradcpa@pacbell.net]
Sent: Tuesday, July 28, 2009 10:51 AM
To: Patch Management Mailing List; Jarmon, Don R
Subject: Re: Microsoft Security Bulletin MS08-062 - Important
* *MS08-062: Security Update for Windows Server 2008, Windows
Server 2003, Windows XP, and Microsoft Windows 2000 (KB953155)*
Locale: All
Deployment: Windows Update, Microsoft Update, Automatic Updates,
WSUS, and Catalog
Classification: Security Updates
Security severity rating: Important
Target platforms: Windows Server 2008, Windows Server 2003,
Windows XP, and Microsoft Windows 2000
Approximate file sizes:
o Windows Server 2008 update: ~ 321KB
o Windows Server 2008 x64 update: ~ 631KB
o Windows Server 2003 update: ~ 581KB
o Windows Server 2003 for IA-64 update: ~ 1249KB
o Windows Server 2003 x64/Windows XP x64 update: ~ 1249KB
o Windows XP update: ~ 583KB
o Windows 2000 update: ~ 570KB
Description:
A security issue has been identified that could allow an
unauthenticated remote attacker to compromise your Microsoft
Windows-based system and gain control over it. You can help
protect your computer by installing this update from Microsoft.
After you install this item, you may have to restart your
computer.
http://go.microsoft.com/fwlink/?LinkId=120829
(http://go.microsoft.com/fwlink/?LinkId=120829)
You only need it if you have the Internet printing bits enabled.
If it's not enabled, then it won't be vulnerable.
<P><B>I am running one of the platforms that are listed in the affected
software table. Why am I not being offered the update?</B><BR>The update
will only be offered to systems on which the affected component is
installed. Microsoft Windows 2000 and Windows XP systems that do not
have Microsoft Internet Information Services (IIS) installed are not
affected and will not receive this update. Windows Server 2003 and
Windows Server 2008 systems that do not have both IIS and Internet
printing installed are not affected and will not receive this
update.</P>
http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx
Jarmon, Don R wrote:
> The patch for KB 953155 seems to be missing from the Windows Update
catalog. Windows servers update are reporting "No high-priority updates
for your computer are available" and missing the KB953155 hotfix. This
would result in 100% patched servers being vulnerability to this
exploit.
>
> Microsoft Security Bulletin MS08-062 - Important
> Vulnerability in Windows Internet Printing Service Could Allow Remote
Code Execution (953155)
> Published: October 14, 2008 | Updated: October 29, 2008
>
> Don Jarmon - CISSP
> Sr. Technical Consultant - Secure Computing
> Security, Government & Infrastructure (SG&I) Division
> Intergraph Corporation
> P.O. Box 6695, Huntsville, AL 35813 USA
> P 1.256.730.2366 F 1.256.730.6816
> Don.Jarmon(at)Intergraph.com, www.intergraph.com
>
>
> ---
> When posting or replying to messages on this list, please send all
> emails in plain text format. HTML formatted messages will not be
accepted.
>
> PatchManagement.org is hosted by Shavlik Technologies
>
> To unsubscribe send a blank email to
leave-patchmanagement@patchmanagement.org
> If you are unable to unsubscribe via this email address, please email
> owner-patchmanagement@patchmanagement.org
>
>
>
---
When posting or replying to messages on this list, please send all
emails in plain text format. HTML formatted messages will not be
accepted.
PatchManagement.org is hosted by Shavlik Technologies
To unsubscribe send a blank email to
leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
---
When posting or replying to messages on this list, please send all
emails in plain text format. HTML formatted messages will not be accepted.
PatchManagement.org is hosted by Shavlik Technologies
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic