It is a long time since I've had to do one of these "panic" patch deployments, so I think that MS must be getting on top of it - most of the time :-)
On a lighter note, when I got home yesterday morning my cat was pink. I kid you not, God knows what he has been into. 2008/10/27 Ziots, Edward <[EMAIL PROTECTED]> > Ken, > > NO offense but I am too tired and pivved off about this to comment > anymore about technical merits, or who is right or wrong. This > vulnerability is attacking the same darn service that MS06-040 did, with > the same result, unauthenticated remote code execution that is > propagating malware, spyware and worm activity which could definitely > bring networks to a halt and have a snowball effect across the next. > > Like I said before, /End Thread... Moving on.. > > Thanks > EZ > > Edward E. Ziots > Network Engineer > Lifespan Organization > MCSE,MCSA,MCP,Security+,Network+,CCA > Phone: 401-639-3505 > -----Original Message----- > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > Sent: Sunday, October 26, 2008 9:27 PM > To: NT System Admin Issues > Subject: RE: Out of Cycle Critical Windows Patch ? > > Nothing you are saying is in dispute here. But I still don't see any > argument as to why this is the "same type" of vulnerability in 06-040 > that you previously stated, or why it should have been fixed as such. > > That you need to spend time patching things isn't different to anyone > else here. Unfortunately it's a facet of running software these days - > no matter what the platform you'd be having to the same thing. So, if > you are venting, then by all means vent. If you are making some claim > about the technical aspects of this vulnerability or patch, then as I > asked before, can you provide some information/facts/evidence/etc to > substantiate that. Not that I'm doubting you per se, but I'm always > looking to further my own technical knowledge (which is why I'm on this > list) > > Cheers > Ken > > > -----Original Message----- > > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > > Sent: Monday, 27 October 2008 12:08 PM > > To: NT System Admin Issues > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > Ken, > > > > Basically it's a juicy door for exploits, unauthenticated remote code > > execution, non-authenticated access is just that, unauthenticated, no > > trust, no authenticated before authorization and legitimate access. It > > basically a violate of AAA security principles. Honestly, I personally > > loathe any type of weak or non-existent access to systems, and we seen > > it in this one that it keeps opening up the door for attacks. > > > > Any its pretty easy to get authenticated credentials harvested from > one > > exploited system and use these to wack the rest of them. A quick > > exploit, dump the hashes, run em through ophcrack or jack the ripper, > > and then impersonate those credentials ( hey generic dumb user) and > then > > run your exploit. Its about a trivial exercise. SO as for Vista and > W2k8 > > being a little less vulnerabile, sorry they are just as vulnerable as > > the Win2k,XP, and Win2k3 boxes, when you look at them being on the > same > > network as the others mentioned. > > > > Again, it's a total pain in the preverbal keister, been up far too > many > > hours getting my network straight with this patch, calling for a lot > of > > downtime, and disrupting operations. > > > > Thanks M$ you guys take the cake on this one:) > > > > /END Thread > > Z > > > > Edward E. Ziots > > Network Engineer > > Lifespan Organization > > MCSE,MCSA,MCP,Security+,Network+,CCA > > Phone: 401-639-3505 > > > > -----Original Message----- > > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > > Sent: Sunday, October 26, 2008 8:49 PM > > To: NT System Admin Issues > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > Um, not sure what you are saying here... > > > > Are you saying that because there are unauthenticated ways of calling > > the Server service, then Microsoft needs to review all the pieces of > > code that the server service calls, even if they aren't part of the > > server service itself? > > > > (FWIW Windows Server 2008 and Vista require authentication by default > to > > the server service, so there's one fix). > > > > I know they are doing code reviews, but as per the SDL blog, this > > particular issue in netapi32.dll is a particularly different one to > fix. > > > > Cheers > > Ken > > > > > -----Original Message----- > > > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > > > Sent: Monday, 27 October 2008 11:44 AM > > > To: NT System Admin Issues > > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > > > Yean pretty aware that netapi32.dll is called by a lot of items, > which > > > sends the attack vector up quite a bit, but the server service was > the > > > route into both if memory serves me right, so question is why did > > > another unauthenticated RPC error attack with that service as the > > route > > > happen again when they made a fix for a similar vulnerability 2+ yrs > > > ago.. > > > > > > Z > > > > > > Edward E. Ziots > > > Network Engineer > > > Lifespan Organization > > > MCSE,MCSA,MCP,Security+,Network+,CCA > > > Phone: 401-639-3505 > > > -----Original Message----- > > > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > > > Sent: Sunday, October 26, 2008 6:50 PM > > > To: NT System Admin Issues > > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > > > Hmm - I check MS06-040 again, and I don't think they are the same > > "type" > > > of issue. > > > > > > The current bug is in the NetCanonicalize API - not in the Server > > > service. It's just that the server service is a route to get to that > > bug > > > - because it calls that API. But it's entirely possible for /other/ > > > applications to also call that API. Just use Process Explorer, and > see > > > how many applications are using Netapi32.dll - I think you'll find > > it's > > > a lot. Any of these /might/ also call that API, and become a vector > > for > > > compromise. > > > > > > Cheers > > > Ken > > > > > > > -----Original Message----- > > > > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, 27 October 2008 9:28 AM > > > > To: NT System Admin Issues > > > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > > > > > According to the SDL blog, this is why this particular issue is > not > > > easy to > > > > discover, especially using automated analysis: > > > > http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx > > > > > > > > Cheers > > > > Ken > > > > > > > > > -----Original Message----- > > > > > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > > > > > Sent: Monday, 27 October 2008 12:45 AM > > > > > To: NT System Admin Issues > > > > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > > > > > > > Yeah someone lit a fire under MSFT arse and they got with the > > > program on > > > > > this one, but only after they detected systems getting exploited > > in > > > the > > > > > wild. Why they didn't determine this flaw back when they patched > > > 06-040 > > > > > for the same type of issue we probably will never know... > > > > > > > > > > Z > > > > > > > > > > Edward E. Ziots > > > > > Network Engineer > > > > > Lifespan Organization > > > > > MCSE,MCSA,MCP,Security+,Network+,CCA > > > > > Phone: 401-639-3505 > > > > > > > > > > -----Original Message----- > > > > > From: Kurt Buff [mailto:[EMAIL PROTECTED] > > > > > Sent: Friday, October 24, 2008 8:08 PM > > > > > To: NT System Admin Issues > > > > > Subject: Re: Out of Cycle Critical Windows Patch ? > > > > > > > > > > Taking this in a slightly different direction... > > > > > > > > > > I told the IT Director and COO yesterday that I was patching all > > > > > servers, and sending an email to all of the laptop users to do > the > > > > > same. > > > > > > > > > > They were a bit skeptical, but not only did the emails that I > > > > > forwarded them from various lists buttress my opinion, this > > morning > > > I > > > > > got forwarded a voicemail by the IT Director, from a rep at > MSFT. > > > Gist > > > > > of the message - MSFT is taking this extremely seriously, and > you > > > > > should patch now. > > > > > > > > > > Director's comments was "nice job, good of you to jump on this." > > > > > > > > > > Anyone else get a call like this from MSFT? It's the first time > > I've > > > > > heard of them doing this, and I take it as a really good sign - > > MSFT > > > > > is finally getting the real clue about this stuff. > > > > > > > > > > Kurt > > > > > > > > > > On Fri, Oct 24, 2008 at 3:52 AM, Oliver Marshall > > > > > <[EMAIL PROTECTED]> wrote: > > > > > > Chaps, > > > > > > > > > > > > The update that was sent out last night, has that caused any > > > issues > > > > > > elsewhere? We've had a spate of calls from users about > problems > > > today, > > > > > > several servers which were set to auto-update for various > > reasons > > > have > > > > > > had varying levels of failure. It's mentally busy here for a > > > Friday, > > > > > and > > > > > > the one thing they have in common is that all the machine > > rebooted > > > for > > > > > > an update last night. > > > > > > > > > > > > Is it just us ? > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~