Educause Security Discussion mailing list archives
Re: Vulnerability scanner for MS05-039
From: Tom Bossie <tbossie () CITADEL COM>
Date: Wed, 17 Aug 2005 12:22:08 -0500
In an effort to aid those in the notification of incidents like the one we have encountered the past few weeks. I would like to offer the following service. "The 2 minute Warning", it is not a commercial or sales gimmick, and it is a free service to our customers that is also open to the public. The Citadel 2 Minute Warning daily security news broadcast is launch-able right from your inbox each day. It includes all the major threat warnings and security headlines in a news radio style broadcast with links to the full stories. Patches for most of the aforementioned vulns have been available since Aug. 9th. Launch Today's 2 Minute Warning: www.citadel.com/2minutebroadcast Please do not take this the wrong way; I am just tying to help! Thx, Tom Bossie Citadel Security Software -----Original Message----- From: Chris Russel [mailto:russel () YORKU CA] Sent: Wednesday, August 17, 2005 1:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Vulnerability scanner for MS05-039 On Wed, 17 Aug 2005, Robert Kerr wrote:
On Tue, 2005-08-16 at 14:17 -0500, Graham Toal wrote:I have a *lot* of these:445 MS04-007 SECURE:MS04-011 SECURE:MS05-039 INCONCLUSIVE [0000f203]Any ideas what the Inconclusive means in that context? They're all XPs. Some of themmay not have rebooted yet despite already having received the patch. (We pushed out the updates last week using SMS)To exploit this vulnerability with XP SP1 or above valid logon credentials are required: http://www.microsoft.com/technet/security/advisory/899588.mspx Seeing as the scanner doesn't have valid logon credentials it's not possible for it to determine for sure whether such machines are patched or not. At least that's my understanding.
Thanks, that is correct for the vast majority of the INCONCLUSIVES. I don't like to say they are patched when I can't tell. There may be a few vulnerable that report as inconclusive - I am waiting for more information from some people to follow up on that. Although rare on fast networks, in some cases it may be related to the receive timeout. I run it with a longer timeout than the default, you can try "-r 1800". (yes I might change the default...) -- Chris Russel Manager CNS Information Security York University, Toronto, Canada
Attachment:
smime.p7s
Description:
Current thread:
- Vulnerability scanner for MS05-039 Chris Russel (Aug 16)
- <Possible follow-ups>
- Re: Vulnerability scanner for MS05-039 David Taylor (Aug 16)
- Re: Vulnerability scanner for MS05-039 Graham Toal (Aug 16)
- Re: Vulnerability scanner for MS05-039 Robert Kerr (Aug 17)
- Re: Vulnerability scanner for MS05-039 Chris Russel (Aug 17)
- Re: Vulnerability scanner for MS05-039 Tom Bossie (Aug 17)