Results 1 to 2 of 2

Thread: ISS announces new M$ RPC vulnerability (thread race condition)

  1. #1
    oldie ric-o's Avatar
    Join Date
    Nov 2002

    Unhappy ISS announces new M$ RPC vulnerability (thread race condition)

    ISS just announced a vulnerability they discovered where the RPC service can go into a multi-threaded race condition when processing RPC requests.

    See it here: http://xforce.iss.net/xforce/alerts/id/155

    Microsoft has not yet released patches to address the vulnerability
    I'm pissed that there's yet another RPC vulnerability but even more upset at ISS for announcing it BEFORE M$ has a patch released.

    Not trying to open the vulnerability disclosure can-o-worms here (pun intended?) but how irresponsible on part of ISS! Now, nobody call me a hipocrit please, because I am posting this info: it's already public (on ISS's web site and sure to spread) --we as security practitioners need to be aware!

    ISS claims they are releasing this info due to "publicly available expoit tools are in circulation":

    Microsoft was notified by ISS X-Force on October 13, 2003 in response to public discussions of the vulnerability and inaccurate assessments of its scope. Additionally, disclosure of this vulnerability was accelerated because publicly available exploit tools are in circulation to demonstrate the DoS condition.
    So the question is....do you release the announcement after an exploit is in the wild or after the patch has been issued?...ponder that a bit...

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Redondo Beach, CA
    Perhaps there is a reason for announcing it before the patch is released: so that admins could be aware and put in some type of security protection (extra eyes on the RPC) until the patch is released because the exploit is so dangerous?

    It's sorta like notifying people of SARS and the dangerous of it before a cure or even figuring out what it was! Sometimes it can be preventative to just let the community know what the dangers are.

    And personally, I believe in full disclosure.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts