[10935] in bugtraq
Re: Fwd: Information on MS99-022
daemon@ATHENA.MIT.EDU (Vanja Hrustic)
Mon Jul 5 00:29:02 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <4.1.19990705030044.00d32a10@emx>
Date: Mon, 5 Jul 1999 04:08:04 +0700
Reply-To: Vanja Hrustic <vanja@SIAMRELAY.COM>
From: Vanja Hrustic <vanja@SIAMRELAY.COM>
X-To: Darren Reed <avalon@coombs.anu.edu.au>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199907041236.WAA29393@cheops.anu.edu.au>
At 10:36 PM 7/4/99 +1000, Darren Reed wrote:
>I would hazard a guess that the number of custom IDS systems in place is
>a small number, so if you compare the number of hackers who would gain
>information on how to exploit this feature and otherwise wouldn't (i.e.
>script kiddies) and weigh that against those that run custom IDS solutions,
>I think the scales will tip in favour of the script kiddies. I say that
According to this logic, eEye shouldn't have publish their IIS4 advisory at
all. Many script kiddies got the information (and tools) on how to exploit
the vulnerability.
>because if you have your own IDS system, chances are you've built it on
>a Unix system and hence run Unix elsewhere through your firewall, etc,
>and wouldn't need to worry about this threat because you don't have IIS4.0
>on any critical systems. Does that make some sense ?
No.
Just to clarify something (the main reason why I actually replied):
I live/work in Asia - which is the main reason why I'm not happy with the
Microsoft approach.
US/Europe/Australia are not worried about this issue. But Asia is. And I
need to deal with customers who also have IIS4. Reason enough to be worried.
Looking at the 'business side', if I need to make a 'blind' intrusion test
(no information supplied by the customer at all), how can I state that IIS4
is vulnerable or not? I can't - but the "security vendor" can. Not really
fair ;)
Regards,
Vanja
