Re: [Full-Disclosure] RE: Microsoft Baseline Security Analyzer not seeing KB887742 and KB886185

To: "Randal, Phil" <prandal@xxxxxxxxxxxxxxxxxxxx>, "BuqtraqNT (E-mail)" <NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx>, "BugtraqSecurity (E-mail)" <Bugtraq@xxxxxxxxxxxxxxxxx>, "Full-Disclosure (E-mail)" <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] RE: Microsoft Baseline Security Analyzer not seeing KB887742 and KB886185
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Date: Tue, 15 Feb 2005 23:02:12 -0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <86144ED6CE5B004DA23E1EAC0B569B580465603B@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>

Actually, the KB article is incorrect. Only other users from the samedial-up ISP given IP's considered in the same "local" subnet would be ableto have NBT traffic considered local and thus pass through the firewall. Itis not "anyone on the Internet" as the KB states. They would still need ausername and password to access the resource. Additionally, one should notethat on non-domain member systems, administrators would have to explicitlyallow FPS exceptions after the fact for this to be an issue in the firstplace, and even so, only after going in and manually binding FPS to thedial-up interface which is disabled by default. You really have to goaround your gluteus maximus to present this as an issue. So, IMO, it is nota major security hole.

The Invalid_Process_Attach_Attempt bug does not have security implications,though in particular configurations a DOS does condition exists. DOS !=security vulnerability in this case.

But, not withstanding the above caveats, I agree with you that 886185 isstill a potential security issue, and for that reason, should be checked byMBSA.

----- Original Message -----From: "Randal, Phil" <prandal@xxxxxxxxxxxxxxxxxxxx>To: "BuqtraqNT (E-mail)" <NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx>;"BugtraqSecurity (E-mail)" <Bugtraq@xxxxxxxxxxxxxxxxx>; "Full-Disclosure(E-mail)" <full-disclosure@xxxxxxxxxxxxxxxx>

Sent: Tuesday, February 15, 2005 2:09 AM

Subject: RE: [Full-Disclosure] RE: Microsoft Baseline Security Analyzer notseeing KB887742 and KB886185

KB887742: "A computer that is running Microsoft Windows XP Service Pack
2 (SP2), Microsoft Windows XP Tablet PC Edition 2005, or Microsoft
Windows Server 2003 unexpectedly stops. Additionally, the following Stop
error message appears on a blue screen: Stop 0x05
(INVALID_PROCESS_ATTACH_ATTEMPT)".

That's a denial of service.  There are security implications there.

KB886185: "After you set up Windows Firewall in Microsoft Windows XP
Service Pack 2 (SP2), you may discover that anyone on the Internet can
access resources on your computer when you use a dial-up connection to
connect to the Internet."

That looks like a major security hole to me.

Cheers,

Phil

----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxx] On Behalf
Of Threlkeld, Richard
Sent: 15 February 2005 00:19
To: James Lay; BuqtraqNT (E-mail); BugtraqSecurity (E-mail);
Full-Disclosure (E-mail)
Subject: [Full-Disclosure] RE: Microsoft Baseline Security
Analyzer not seeing KB887742 and KB886185

These are not security updates.  KB887742 is for a stop error
(http://support.microsoft.com/kb/887742) and  KB886185 is an
update for network scope on the Windows Firewall
(http://support.microsoft.com/default.aspx?scid=kb;en-us;886185) .

The MBSA scans for Security Updates only, not every hotfix
ever released.  Note that a "Critical" patch is not
necessarily a "Security"
patch.  You may be thinking of the "Maximum severity" levels
of the MS*-xxx security bulletins which are not the same thing.

Best,

Richard Threlkeld
Microsoft MVP - SMS
http://myitforum.techtarget.com/blog/rthrelkeld/

-----Original Message-----
From: James Lay [mailto:jlay@xxxxxxxxxxxx]
Sent: Monday, February 14, 2005 10:24 AM
To: BuqtraqNT (E-mail); BugtraqSecurity (E-mail); Full-Disclosure
(E-mail)
Subject: Microsoft Baseline Security Analyzer not seeing KB887742 and
KB886185

Subject line says it all....just did a fresh install of WinXP
SP2....was using MBSAFU to make sure it would patch...which
it did.  However Windows Update shows still needing KB887742
and KB886185.  MBSA shows no critical patches need updated.
Systeminfo shows that both KB887742 and
KB886185 are NOT installed.  I'm using latest MBSA.  Anyone
else see this?  Kinda sucks :(

James Lay
Network Manager/Security Officer
AmeriBen Solutions/IEC Group
Deo Gloria!!!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] RE: Microsoft Baseline Security Analyzer no t seeing KB887742 and KB886185
  - From: Randal, Phil

Prev by Date: SHA-1 broken
Next by Date: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Previous by thread: RE: [Full-Disclosure] RE: Microsoft Baseline Security Analyzer no t seeing KB887742 and KB886185
Next by thread: [Full Disclosure] Using DHTML XSS to launch HHCTRL exploit
Index(es):
- Date
- Thread