Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

A bad month for MS!

From: Dave Aitel <dave () immunityinc com>
Date: Thu, 23 Oct 2008 13:45:33 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Recently Kostya finished off the IPP exploit (MS08-062) which turns
out to be much more useful than I expected for penetration tests.
Although most penetration tests start out "blind" and you don't have a
username and password, in the real world, a hacker WOULD have a
username or password to the domain, if it's big enough. But since we
rarely do , I was happy to see that on our latest penetration test
there were several machines set up to offer internet printing
anonymously.  Of course, in this particular case, proper network
exfiltration filtering prevented them from getting exploited, but it
was interesting to see real world machines vulnerable to such a thing.

The question you always have is "How reliable is reliable" and I'd
have to say that Kostya's IPP exploit is probably 100% against
standard IIS 5.0, for those of you still running that (welcome to 2008
:>!). MS08-062 is not a bug you would find with a fuzzer, so having
people vulnerable by default makes it obvious that there was a lot of
value to whoever found it, and they were probably using it pretty
widely for them to have gotten caught. This is worse news for MS than
it originally seemed.

This server service bug, on the other hand, is exactly as bad as it
would seem. It's the kind of news for Microsoft (and their customers,
of course) that creates real-world sales problems (much like the
RedHat compromise should have). The world has changed a lot since the
last time a remote vulnerability of this nature came out - now the
distribution of high quality exploits is going to be essentially
instantaneous.

It will be interesting to see how organizations react to this - or if
they react at all.

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJALg9tehAhL0gheoRAu9PAJ97HRWZbgR7Eia02u1oCysP8ah6KgCeJ1uI
esxhUFYRvz9+6Wlj0nu774w=
=Bv+0
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: