Re: Fwd: Information on MS99-022

[Vanja Hrustic <vanja@SIAMRELAY.COM>]

At 10:36 PM 7/4/99 +1000, Darren Reed wrote:
>I would hazard a guess that the number of custom IDS systems in place is
>a small number, so if you compare the number of hackers who would gain
>information on how to exploit this feature and otherwise wouldn't (i.e.
>script kiddies) and weigh that against those that run custom IDS solutions,
>I think the scales will tip in favour of the script kiddies.  I say that

According to this logic, eEye shouldn't have publish their IIS4 advisory at
all. Many script kiddies got the information (and tools) on how to exploit
the vulnerability.

>because if you have your own IDS system, chances are you've built it on
>a Unix system and hence run Unix elsewhere through your firewall, etc,
>and wouldn't need to worry about this threat because you don't have IIS4.0
>on any critical systems.  Does that make some sense ?

No.

Just to clarify something (the main reason why I actually replied):

I live/work in Asia - which is the main reason why I'm not happy with the
Microsoft approach.

US/Europe/Australia are not worried about this issue. But Asia is. And I
need to deal with customers who also have IIS4. Reason enough to be worried.

Looking at the 'business side', if I need to make a 'blind' intrusion test
(no information supplied by the customer at all), how can I state that IIS4
is vulnerable or not? I can't - but the "security vendor" can. Not really
fair ;)

Regards,

Vanja