[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    MS03-043 Popup Messenger Servce buffer-overflow
From:       "Graham, Robert (ISS Atlanta)" <rgraham () ISS ! NET>
Date:       2003-10-16 13:23:49
[Download RAW message or body]

ISS has released a freeware utility to help scan for this vuln. We feel this vuln is \
pretty important -- at the same level as Blaster and Slammer. It is as wide-spread as \
the RPC/DCOM vuln exploited by Blaster, and it can easily lead to Slammer-style worms \
that slam out a flood of UDP traffic.

The tool is available at:
http://www.iss.net/support/product_utilities/
Note that it's unsupported, and that it's pretty raw at the moment, but the bug is \
pretty new.

One of the interesting aspects of the Messenger bug is that the patch disables the \
MS-RPC interface to the Messenger Service. IT departments can use my tool (or a wide \
variety of other messenger popup spam utilities based on RPC) to constantly notify \
users to apply the patch. As soon as they patch their systems, they automatically fix \
the problem of messenger popup spam. I think our own IT department is planing to run \
the tool on the internal network in order to "nag" our own users into submission. The \
side effect we are hoping for is that users fix the problem by applying Windows \
Update, which fixes other problems as well (such as MS03-039). 

In other words, use the utility now to nag people into updating, then use it a week \
from now to actually find systems that haven't been updated.

Robert Graham
Chief Scientist, ISS

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.

----


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic