Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ISS Internet Scanner Cannot be relied upon for conclusive

From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 10 Feb 1999 19:37:07 +1100

In some mail from David LeBlanc, sie said:


At 09:46 AM 2/8/99 -0500, Chris Brenton wrote:

Many security audit tools that I've tested would in fact say that the
system is safe because SP4 has been installed. This is because instead
of checking file dates, they are looking for registry keys which
identify what patches have been loaded on the system.

I personally can not say if ISS's scanners fall into the same boat, but
from my testing I know many do.


We check file dates when checking for NT patches, and would catch your
example.


I don't see how that can be considered "adequate".

However, going back to "cops" (could be considered to be the origin of
such processing), it appears it performed the same evil.

For .dll's and friends which are supplied with service packs, I can't
see why you would not use a cryptographic checksum to ensure that the
file there is what you think it is.

Darren
Previous By Date Next
Previous By Thread Next

Current thread: