Re: [Full-Disclosure] Potential Microsoft PCT worm (MS04-011)

[insecure <insecure@xxxxxxxxxxxxx>]

Gee, the advisory from Corsaire caused a lot of panic? What was your 
reaction when Microsoft issued an almost identical alert about 16 hours 
ago? (reproduced below)

Maybe a little panic is a good thing...

What is this alert?

- Microsoft is aware of code available on the Internet that seeks to exploit
vulnerabilities addressed as part of our April 13th security updates. We are
investigating the situation to help protect our customers.  Specifically,
the reports detail exploit code that attempts to use the IIS PCT/SSL
vulnerability on servers running Internet Information Services with the
Secure Socket Layer authentication enabled.  This vulnerability is addressed
by bulletin MS04-011.  Customers who have deployed MS04-011 are not at risk
from this exploit code.

- Microsoft considers these reports credible and serious and continues to
urge all customers to immediately install the MS4-011 update as well as the
other critical updates provided on April 13th.

- Customers who are still evaluating and testing MS04-011 should immediately
implement the workaround steps detailed for the PCT/SSL vulnerability
detailed in the MS04-011.  In addition, Microsoft has published a knowledge
base article KB187498 at
http://support.microsoft.com/default.aspx?scid=kb;en-us;187498  which
provides additional details on SSL and how to disable PCT without applying
MS04-011.

- We expect to see additional exploits and proof-of-concept code targeting
the April 2004 security bulletin release in coming days and weeks,
potentially including worm or virus examples.



Gadi Evron wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You should be more careful in the future, this email message started a
> lot of panic and alarm.
>
> A worm is coming, we all know that! Whether today, next week or in a
> month, it will come. I appreciate any warning, but not one such as this.
>
> This advisory below however is not from Microsoft, and although I am
> sure you meant no harm, it appears to come from MS, format-wise and it
> might even imply so in a first glance.
>
> Non of the people I talked this over see a worm yet, so please be more
> careful in the future, because unless you have actual information, this
> advisory is nothing but mis-leading and a recycle of old information -
> which I am sure you didn't mean, but rather just gathered relevant
> information in an MS-like format for us all to benefit from.
>
> Since you claim to have the "new" exploit, how about a snort signature,
> for example, or more information?
>
> Sorry if I have been rude.
>
> Thank you.
>
>     Gadi Evron.
>
>
> advisories wrote:
>
> | Potential Microsoft PCT worm (MS04-011)
> |
> | A revised exploit has been released for the PCT flaw in the last 
> 24-hrs by
> | THC (THCIISSLame.c). For the last few hours we have also been receiving
> | uncorroborated anecdotal evidence from reliable sources that a working
> worm
> | is being trialled on the Internet, in preparation for imminent
> release. The
> | primary concern is that this flaw affects unpatched SSL enabled IIS
> servers,
> | which could potentially be thousands of hosts.
> |
> | The official Microsoft patch (MS04-011) is strongly recommended for
> | immediate application. However, for some organisations, change 
> control and
> | software dependency testing have meant that there has not been 
> enough time
> | to test and apply the patch widely. Additionally there have been
> reports of
> | some organisations experiencing reliability issues after applying this
> | patch, and so they have halted the rollout.
> |
> | As time is of the essence, an alternative to applying the patch is
> available
> | by disabling PCT. This option has been tested by Corsaire with the THC
> | exploit on Microsoft Windows 2000 SP4 IIS only (but we have no 
> reason to
> | doubt that this approach will work just as well on the alternative MS
> | platforms).
> |
> | There is a Microsoft knowledgebase article that describes the full
> process.
> | Be sure to follow the instructions to the letter, otherwise there is 
> the
> | risk that you will still be exposed:
> | http://support.microsoft.com/default.aspx?scid=kb;en-us;187498
> |
> |
> | -- Background --
> |
> | Microsoft Security Bulletin MS04-011 (Microsoft) Microsoft
> | http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
> |
> |
> | -- Distribution --
> |
> | This security advisory may be freely distributed, provided that it
> | remains unaltered and in its original form.
> |
> |
> | -- Disclaimer --
> |
> | The information contained within this advisory is supplied "as-is" with
> | no warranties or guarantees of fitness of use or otherwise. Corsaire
> | accepts no responsibility for any damage caused by the use or misuse of
> | this information.
> |
> |
> | Copyright 2004 Corsaire Limited. All rights reserved.
> |
> | _______________________________________________
> | Full-Disclosure - We believe in it.
> | Charter: http://lists.netsys.com/full-disclosure-charter.html
> |
> |
>
> - --
> Email: ge@xxxxxxxxxxxxx Backup: ge@xxxxxxxxxxx
> Phone: +972-50-428610 (Cell).
>
> PGP key for attachments: 
> http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
> ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
> GPG key for encrypted email:
> http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
> ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (MingW32)
>
> iD8DBQFAiZGaqH6NtwbH1FARAgj5AJ9MfHDE91X/pirb9bkES7pb8+lqPQCfQUIG
> 1xSzEu3quaFYYkfwcd99kBk=
> =QP+k
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html