I didn't think of it like that.... :-) 2008/10/27 Micheal Espinola Jr <[EMAIL PROTECTED]>
> So you came home to find a pink pussy... > > Well then. I'm going to walk away from my computer now and find a > quite section of the building to giggle my ass off in. Thank you very > much. > > -- > ME2 > > > > On Mon, Oct 27, 2008 at 7:53 AM, James Rankin <[EMAIL PROTECTED]> > wrote: > > It is a long time since I've had to do one of these "panic" patch > > deployments, so I think that MS must be getting on top of it - most of > the > > time :-) > > > > On a lighter note, when I got home yesterday morning my cat was pink. I > kid > > you not, God knows what he has been into. > > > > 2008/10/27 Ziots, Edward <[EMAIL PROTECTED]> > >> > >> Ken, > >> > >> NO offense but I am too tired and pivved off about this to comment > >> anymore about technical merits, or who is right or wrong. This > >> vulnerability is attacking the same darn service that MS06-040 did, with > >> the same result, unauthenticated remote code execution that is > >> propagating malware, spyware and worm activity which could definitely > >> bring networks to a halt and have a snowball effect across the next. > >> > >> Like I said before, /End Thread... Moving on.. > >> > >> Thanks > >> EZ > >> > >> Edward E. Ziots > >> Network Engineer > >> Lifespan Organization > >> MCSE,MCSA,MCP,Security+,Network+,CCA > >> Phone: 401-639-3505 > >> -----Original Message----- > >> From: Ken Schaefer [mailto:[EMAIL PROTECTED] > >> Sent: Sunday, October 26, 2008 9:27 PM > >> To: NT System Admin Issues > >> Subject: RE: Out of Cycle Critical Windows Patch ? > >> > >> Nothing you are saying is in dispute here. But I still don't see any > >> argument as to why this is the "same type" of vulnerability in 06-040 > >> that you previously stated, or why it should have been fixed as such. > >> > >> That you need to spend time patching things isn't different to anyone > >> else here. Unfortunately it's a facet of running software these days - > >> no matter what the platform you'd be having to the same thing. So, if > >> you are venting, then by all means vent. If you are making some claim > >> about the technical aspects of this vulnerability or patch, then as I > >> asked before, can you provide some information/facts/evidence/etc to > >> substantiate that. Not that I'm doubting you per se, but I'm always > >> looking to further my own technical knowledge (which is why I'm on this > >> list) > >> > >> Cheers > >> Ken > >> > >> > -----Original Message----- > >> > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > >> > Sent: Monday, 27 October 2008 12:08 PM > >> > To: NT System Admin Issues > >> > Subject: RE: Out of Cycle Critical Windows Patch ? > >> > > >> > Ken, > >> > > >> > Basically it's a juicy door for exploits, unauthenticated remote code > >> > execution, non-authenticated access is just that, unauthenticated, no > >> > trust, no authenticated before authorization and legitimate access. It > >> > basically a violate of AAA security principles. Honestly, I personally > >> > loathe any type of weak or non-existent access to systems, and we seen > >> > it in this one that it keeps opening up the door for attacks. > >> > > >> > Any its pretty easy to get authenticated credentials harvested from > >> one > >> > exploited system and use these to wack the rest of them. A quick > >> > exploit, dump the hashes, run em through ophcrack or jack the ripper, > >> > and then impersonate those credentials ( hey generic dumb user) and > >> then > >> > run your exploit. Its about a trivial exercise. SO as for Vista and > >> W2k8 > >> > being a little less vulnerabile, sorry they are just as vulnerable as > >> > the Win2k,XP, and Win2k3 boxes, when you look at them being on the > >> same > >> > network as the others mentioned. > >> > > >> > Again, it's a total pain in the preverbal keister, been up far too > >> many > >> > hours getting my network straight with this patch, calling for a lot > >> of > >> > downtime, and disrupting operations. > >> > > >> > Thanks M$ you guys take the cake on this one:) > >> > > >> > /END Thread > >> > Z > >> > > >> > Edward E. Ziots > >> > Network Engineer > >> > Lifespan Organization > >> > MCSE,MCSA,MCP,Security+,Network+,CCA > >> > Phone: 401-639-3505 > >> > > >> > -----Original Message----- > >> > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > >> > Sent: Sunday, October 26, 2008 8:49 PM > >> > To: NT System Admin Issues > >> > Subject: RE: Out of Cycle Critical Windows Patch ? > >> > > >> > Um, not sure what you are saying here... > >> > > >> > Are you saying that because there are unauthenticated ways of calling > >> > the Server service, then Microsoft needs to review all the pieces of > >> > code that the server service calls, even if they aren't part of the > >> > server service itself? > >> > > >> > (FWIW Windows Server 2008 and Vista require authentication by default > >> to > >> > the server service, so there's one fix). > >> > > >> > I know they are doing code reviews, but as per the SDL blog, this > >> > particular issue in netapi32.dll is a particularly different one to > >> fix. > >> > > >> > Cheers > >> > Ken > >> > > >> > > -----Original Message----- > >> > > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > >> > > Sent: Monday, 27 October 2008 11:44 AM > >> > > To: NT System Admin Issues > >> > > Subject: RE: Out of Cycle Critical Windows Patch ? > >> > > > >> > > Yean pretty aware that netapi32.dll is called by a lot of items, > >> which > >> > > sends the attack vector up quite a bit, but the server service was > >> the > >> > > route into both if memory serves me right, so question is why did > >> > > another unauthenticated RPC error attack with that service as the > >> > route > >> > > happen again when they made a fix for a similar vulnerability 2+ yrs > >> > > ago.. > >> > > > >> > > Z > >> > > > >> > > Edward E. Ziots > >> > > Network Engineer > >> > > Lifespan Organization > >> > > MCSE,MCSA,MCP,Security+,Network+,CCA > >> > > Phone: 401-639-3505 > >> > > -----Original Message----- > >> > > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > >> > > Sent: Sunday, October 26, 2008 6:50 PM > >> > > To: NT System Admin Issues > >> > > Subject: RE: Out of Cycle Critical Windows Patch ? > >> > > > >> > > Hmm - I check MS06-040 again, and I don't think they are the same > >> > "type" > >> > > of issue. > >> > > > >> > > The current bug is in the NetCanonicalize API - not in the Server > >> > > service. It's just that the server service is a route to get to that > >> > bug > >> > > - because it calls that API. But it's entirely possible for /other/ > >> > > applications to also call that API. Just use Process Explorer, and > >> see > >> > > how many applications are using Netapi32.dll - I think you'll find > >> > it's > >> > > a lot. Any of these /might/ also call that API, and become a vector > >> > for > >> > > compromise. > >> > > > >> > > Cheers > >> > > Ken > >> > > > >> > > > -----Original Message----- > >> > > > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > >> > > > Sent: Monday, 27 October 2008 9:28 AM > >> > > > To: NT System Admin Issues > >> > > > Subject: RE: Out of Cycle Critical Windows Patch ? > >> > > > > >> > > > According to the SDL blog, this is why this particular issue is > >> not > >> > > easy to > >> > > > discover, especially using automated analysis: > >> > > > http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx > >> > > > > >> > > > Cheers > >> > > > Ken > >> > > > > >> > > > > -----Original Message----- > >> > > > > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > >> > > > > Sent: Monday, 27 October 2008 12:45 AM > >> > > > > To: NT System Admin Issues > >> > > > > Subject: RE: Out of Cycle Critical Windows Patch ? > >> > > > > > >> > > > > Yeah someone lit a fire under MSFT arse and they got with the > >> > > program on > >> > > > > this one, but only after they detected systems getting exploited > >> > in > >> > > the > >> > > > > wild. Why they didn't determine this flaw back when they patched > >> > > 06-040 > >> > > > > for the same type of issue we probably will never know... > >> > > > > > >> > > > > Z > >> > > > > > >> > > > > Edward E. Ziots > >> > > > > Network Engineer > >> > > > > Lifespan Organization > >> > > > > MCSE,MCSA,MCP,Security+,Network+,CCA > >> > > > > Phone: 401-639-3505 > >> > > > > > >> > > > > -----Original Message----- > >> > > > > From: Kurt Buff [mailto:[EMAIL PROTECTED] > >> > > > > Sent: Friday, October 24, 2008 8:08 PM > >> > > > > To: NT System Admin Issues > >> > > > > Subject: Re: Out of Cycle Critical Windows Patch ? > >> > > > > > >> > > > > Taking this in a slightly different direction... > >> > > > > > >> > > > > I told the IT Director and COO yesterday that I was patching all > >> > > > > servers, and sending an email to all of the laptop users to do > >> the > >> > > > > same. > >> > > > > > >> > > > > They were a bit skeptical, but not only did the emails that I > >> > > > > forwarded them from various lists buttress my opinion, this > >> > morning > >> > > I > >> > > > > got forwarded a voicemail by the IT Director, from a rep at > >> MSFT. > >> > > Gist > >> > > > > of the message - MSFT is taking this extremely seriously, and > >> you > >> > > > > should patch now. > >> > > > > > >> > > > > Director's comments was "nice job, good of you to jump on this." > >> > > > > > >> > > > > Anyone else get a call like this from MSFT? It's the first time > >> > I've > >> > > > > heard of them doing this, and I take it as a really good sign - > >> > MSFT > >> > > > > is finally getting the real clue about this stuff. > >> > > > > > >> > > > > Kurt > >> > > > > > >> > > > > On Fri, Oct 24, 2008 at 3:52 AM, Oliver Marshall > >> > > > > <[EMAIL PROTECTED]> wrote: > >> > > > > > Chaps, > >> > > > > > > >> > > > > > The update that was sent out last night, has that caused any > >> > > issues > >> > > > > > elsewhere? We've had a spate of calls from users about > >> problems > >> > > today, > >> > > > > > several servers which were set to auto-update for various > >> > reasons > >> > > have > >> > > > > > had varying levels of failure. It's mentally busy here for a > >> > > Friday, > >> > > > > and > >> > > > > > the one thing they have in common is that all the machine > >> > rebooted > >> > > for > >> > > > > > an update last night. > >> > > > > > > >> > > > > > Is it just us ? > >> > > > > >> > > > > >> > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> > > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > > > >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > > > >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
