October 14th, 2003, 10:53 PM
ISS announces new M$ RPC vulnerability (thread race condition)
ISS just announced a vulnerability they discovered where the RPC service can go into a multi-threaded race condition when processing RPC requests.
See it here: http://xforce.iss.net/xforce/alerts/id/155
I'm pissed that there's yet another RPC vulnerability but even more upset at ISS for announcing it BEFORE M$ has a patch released.
Microsoft has not yet released patches to address the vulnerability
Not trying to open the vulnerability disclosure can-o-worms here (pun intended?) but how irresponsible on part of ISS! Now, nobody call me a hipocrit please, because I am posting this info: it's already public (on ISS's web site and sure to spread) --we as security practitioners need to be aware!
ISS claims they are releasing this info due to "publicly available expoit tools are in circulation":
So the question is....do you release the announcement after an exploit is in the wild or after the patch has been issued?...ponder that a bit...
Microsoft was notified by ISS X-Force on October 13, 2003 in response to public discussions of the vulnerability and inaccurate assessments of its scope. Additionally, disclosure of this vulnerability was accelerated because publicly available exploit tools are in circulation to demonstrate the DoS condition.
October 14th, 2003, 10:56 PM
Perhaps there is a reason for announcing it before the patch is released: so that admins could be aware and put in some type of security protection (extra eyes on the RPC) until the patch is released because the exploit is so dangerous?
It's sorta like notifying people of SARS and the dangerous of it before a cure or even figuring out what it was! Sometimes it can be preventative to just let the community know what the dangers are.
And personally, I believe in full disclosure.