[15759] in bugtraq
Re: Microsoft Security Bulletin (MS00-048)
daemon@ATHENA.MIT.EDU (Mikael Olsson)
Wed Jul 12 16:05:31 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <396B795B.C58D05F@enternet.se>
Date: Tue, 11 Jul 2000 21:45:31 +0200
Reply-To: Mikael Olsson <mikael.olsson@ENTERNET.SE>
From: Mikael Olsson <mikael.olsson@ENTERNET.SE>
X-To: Richard Waymire <rwaymi@microsoft.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Richard Waymire wrote:
>
> for 3) Yes, the vulnerability allowed this. A basic misunderstanding
> between what you're saying for #3 and what I'm saying is that I'm assuming
> you have patched your server and then carrying the discussion forward.
Gotcha,
Jenik <jenik@CPOL.COM> stated that the FAQ for MS00-048 should mention
xp_cmdshell() for the above reasons, thereby implicitly assuming that the
patch is not (yet) installed. That's where I was coming from. Your
comments
went fly in the face of what I understood the vulnerability to be,
hence my questions.
> Clearly you are at great risk without this patch being applied.
Yes. I guess Jenik just wanted to make sure that the Average User(tm)
would understand the exact dangers involved.
Well, no point in discussing this non-issue any further.
Regards,
Mikael Olsson
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 VRNSKVLDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: mikael.olsson@enternet.se
