From: Dave Aitel (daveimmunitysec.com)
Date: Fri Oct 14 2005 - 10:45:32 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I know everyone is freaking, but I don't think there's going to be a DTC
worm. More to the point, Sinan Eren doesn't think there's going to be a
DTC (MS05-051) worm, and if anyone knows, it's him. Even if you can
predict or leak VirtualAlloc() addresses, which is probably unlikely
for anyone any time soon, there's a lot of variable in the kinds of
machines that are vulnerable. Is that SP4 up2date? Is it slipstream?
This bug isn't going to have a worm. I hate to step up against Marc and
Neel, but imo, no worm.

If there IS a worm, I predict it's going to be the ms_netware bug. That
bug is so easy (once you have a decent widechar.py - thanks bas!) that
you can use it in buffer overflow 101 classes. The umpnp bug is a bit
more complex, you can overwrite eip with 00XX00YY where XX and YY are
characters from a registry key you get to pick. It's fun for the whole
family. Do you A) spam the heap with lots of your shellcode? or B) off
by two EIP and hope for something cool? C) find an 0day.

I got some questions from various people asking "What's the most
important bug just released?" My answer was "Who cares? The most
important bug is the one that will get released next month."

Has anyone noticed that Microsoft requires you to download and run a
"validation tool" from an HTTP:// site in order to get the rollup
patch? It's like a dsniffer's dream come true.

-dave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]