NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > ISS> 2003-q3

RE: [ISSForum] Network protection case study: Microsoft RPC DCOMvulnerability

From: Washburn, Lisa (ISSAtlanta) (LWashburniss.net)
Date: Mon Aug 11 2003 - 14:08:48 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ISS maintains a separate mailing list for customers that provides information regarding product announcements and updates. While in the past an occasional product announcement may have been sent to this mail list, we have streamlined our communication mechanisms to ensure that each mail list is used only for its intended purpose in accordance with customer requests. All product announcements are available via the ISS Connections mailing list. Customers may sign up for this mailing list at: http://xforce.iss.net/xforce/maillists/. We apologize for any inconvenience this may have caused.

Best regards,
Lisa Washburn

-----Original Message-----
From: Vijver, D (Dirk) [mailto:D.Vijverrf.rabobank.nl]
Sent: Monday, August 04, 2003 6:47 AM
To: issforumiss.net
Subject: RE: [ISSForum] Network protection case study: Microsoft RPC
DCOMvulnerability

Dear Sirs/Madams,

The "quality of service", as described below, seems excellent to me. Thanks.
The ISS-tool for checking systems regarding this issue is also much appreciated.

However, as far as I know and can check this Forum has not been informed of Internet Scanner XPU updates (in my case still for Internet Scanner 6.2.1) since June 6, 2003 (including recent ones to check systems for this vulnerability).
So either there's something wrong with my internal mail system (in which case I apologize for bothering the forum) or ISS forgot to inform the ISS-Forum of recent updates.
I wonder what the experience of other forum members is.

Yours Truly,

Dirk Vijver

-----Oorspronkelijk bericht-----
Van: issforum-adminiss.net [mailto:issforum-adminiss.net]
Verzonden: woensdag 23 juli 2003 23:48
Aan: issforumiss.net
Onderwerp: [ISSForum] Network protection case study: Microsoft RPC
DCOMvulnerability

ISS X-Force has had great success over the years at channeling internal
vulnerability research directly into the ISS protection platform. A
core objective of the X-Force R&D organization is to research
vulnerabilities, work with vendors to develop fixes, and update our
protection technologies. Since we have invested so heavily in
vulnerability research, we are not as dependent on the public domain to
gather specific vulnerability and exploit information.

Vulnerability and Protection Timeline:

7/16/2003 - Microsoft Security Bulletin MS03-026 published
7/17/2003 - Protection made available to ISS tech support (<24 hours)
7/18/2003 - XPU packages available (~36 hours later)

In this timeframe, X-Force was able to pinpoint the vulnerability,
develop a functional exploit tool, investigate potential evasion
techniques, and update our protection platform.

No exploit tools or exploit information have been published as of 4:00pm
ET on 7/23/2003. Additionally, no other major network protection
vendors have published updates to detect RPC DCOM attacks.

Vendor Protection
------ ----------
Symantec No
Network Associates No
Cisco No
Netscreen No
Snort No
ISS Yes (7/17/2003)

Most network protection vendors develop their protection based only upon
publicly available exploit tools. If hackers choose not to publish
their tools, then no protection is available. Relying on hacker
goodwill to develop protection technology is a dangerous strategy.

For more information about the RPC DCOM vulnerability, please refer to
the X-Force Alert and Microsoft Security Bulletin MS03-026:

http://xforce.iss.net/xforce/alerts/id/147
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

Regards,
===============================
Daniel Ingevaldson
Engineering Manager, X-Force R&D
dsiiss.net
404-236-3160

Internet Security Systems, Inc.
The Power to Protect
http://www.iss.net
===============================

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo

================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
================================================
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]