[16026] in bugtraq
FW: Windows 9x? (Re: Microsoft Security Bulletin (MS00-047))
daemon@ATHENA.MIT.EDU (Forrester, Mike)
Tue Aug 1 15:59:52 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <CEE0B7A5C566D4118621009027DE24767EF1@hsadenmx02.hsacorp.net>
Date: Mon, 31 Jul 2000 21:12:56 -0600
Reply-To: "Forrester, Mike" <mforrester@HSACORP.NET>
From: "Forrester, Mike" <mforrester@HSACORP.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Microsoft did the same with bulletin MS00-036 (found by COVERT labs too). I
posted this same question to NTBUGTRAQ when MS00-036 was released, but Russ
didn't post it and proceeded to argue about it (which I figured would be a
waste of time). I gave a bad example, but he missed the point. Now back to
the point...Why didn't they post a fix or even acknowledge it this time?
From the FAQ's for MS00-036:
"The computer browser protocol is implemented on all Windows systems. Why
isn't there a patch for Windows 95, Windows 98 and Windows NT 4.0 Server,
Terminal Server Edition?
These systems do implement the Computer Browser protocol, but we have not
developed a patch to add the RefuseReset and MaximumBrowseEntries functions
for these systems. The reason is because the networks in which the attack at
issue here would pose the greatest risk - large networks with many users -
are exactly those most unlikely to use these systems as browsers."
They at least gave a reason last time even though they included their usual
'people wouldn't ever do it way that anyway' comment. Either it's a
security hole or it isn't. Right? Maybe Windows Me (lol) is getting all of
the attention.
Mike Forrester - Systems Security Engineer
High Speed Access Corp. - Denver, CO 80246
mforrester@hsacorp.net - +1 303 256 2134
-----Original Message-----
From: Peter W
To: BUGTRAQ@SECURITYFOCUS.COM
Sent: 7/29/00 3:03 PM
Subject: Windows 9x? (Re: Microsoft Security Bulletin (MS00-047))
COVERT says that the problem they reported also occurs on Windows 95 and
Windows 98. Why are those OS'es not listed here?
-Peter
At 5:58pm Jul 27, 2000, Microsoft Product Security wrote:
> Patch Available for "NetBIOS Name Server Protocol Spoofing"
> Vulnerability
> Originally Posted: July 27, 2000
> Affected Software Versions
> ==========================
> - Microsoft Windows NT 4.0 Workstation
> - Microsoft Windows NT 4.0 Server
> - Microsoft Windows NT 4.0 Server, Enterprise Edition
> - Microsoft Windows NT 4.0 Server, Terminal Server Edition
> - Microsoft Windows 2000
> Patch Availability
> ==================
> - Windows 2000:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23370
> - Windows NT 4.0 Workstation, Server, and Server, Enterprise
> Edition:Patch to be released shortly.
> - Windows NT 4.0 Server, Terminal Server Edition: Patch to be
> released shortly.
> Acknowledgments
> ===============
> Microsoft thanks the following customers for working with us to
> protect customers:
>
> COVERT Labs at PGP Security, Inc., for reporting the unsolicited
> NetBIOS Name Conflict datagram issue to us.
> Sir Dystic of Cult of the Dead Cow for reporting the Name Release
> issue to us.
