[9475] in bugtraq
Re: ISS Internet Scanner Cannot be relied upon for conclusive
daemon@ATHENA.MIT.EDU (Darren Reed)
Thu Feb 11 15:33:57 1999
Date: Wed, 10 Feb 1999 19:37:07 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: dleblanc@MINDSPRING.COM
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3.0.3.32.19990209110525.00cb9640@mail.mindspring.com> from
"David LeBlanc" at Feb 9, 99 11:05:25 am
In some mail from David LeBlanc, sie said:
>
> At 09:46 AM 2/8/99 -0500, Chris Brenton wrote:
> >Many security audit tools that I've tested would in fact say that the
> >system is safe because SP4 has been installed. This is because instead
> >of checking file dates, they are looking for registry keys which
> >identify what patches have been loaded on the system.
> >
> >I personally can not say if ISS's scanners fall into the same boat, but
> >from my testing I know many do.
>
> We check file dates when checking for NT patches, and would catch your
> example.
I don't see how that can be considered "adequate".
However, going back to "cops" (could be considered to be the origin of
such processing), it appears it performed the same evil.
For .dll's and friends which are supplied with service packs, I can't
see why you would not use a cryptographic checksum to ensure that the
file there is what you think it is.
Darren
