hxxp://www.securityfocus.com/news/8003

What are they on about? It sounds really big.
-Nexy


Maybe its one of these...

hxxp://eeye.com/html/Research/Advisories/AD20040210.html

hxxp://eeye.com/html/Research/Advisories/AD20040210-2.html

I would say its both of those ones you mention....

Problem is, it runs on Port 135,139 and 445.

These ports have been blocked by a lot of ISP's since blaster, messenger, workstation, which all used this port. Thats why workstation and messenger werent great exploits imho

some isp's dont block it like mine so it come in handy when exploit will be releasd good job for the post !

OMG .. looks like Microshit are in for some more hardcore worm action!

That's a serious couple of vunerabilities.. deffo something to watch!

Thanks for posting!

//WL

yup these new ones will definately make splash in micro$hit.

how long before a brave virus author releases one to exploit these? a week? two? place your bets now!


and this is not just an attempt to get to 50... some part of me actually enjoys hearing about a security hole, then patching my own system, and watching the rest of the world suffer because they are too stupid or too lazy to keep up with the crap M$ spews out.

then again at work i'm going to have a hell of a time informing people how to stay up to date... didn't we do this with blaster? wtf? stupid users, if it wasn't for job security, i'd get rid of them.

couldnt be that tonight??

9 days from now for a public release !

thats a bet, or u know that for sure?

He wouldn't be posting it publicly if he knew,cause if it was released the feds would come after him first.

lol, well while all u ppl were betting on a release date, I was finishing up the removal of some bastard worm that got in my machine. (My mistake, I freshly formatted, wasn't aware of a nasty exploit, didn't have AV installed yet, and paid dearly for it) I'm not sure if this worm was actually the exploit, could just be coincidence that I got infected while a crazy exploit was flying around everywhere. Thankfully my firewalls caught most of the outbound traffic that this thing was trying to send out, (mostly attacking port 135), but I'm sure some got through.

Why am I telling u this? Well, first so you can laugh at me. Second, just a reminder that after you format, install AV before downloading files! lol. I was just being lazy, thinkin, 'ah, haven't got a virus for 3 months, I'll be OK!" well, that blew up in my face and spent a couple hours trying to kill the stupid thing and gather up my firewall logs in case my ISP gets angry with me. It hit pretty good, my ISP actually dropped offline for a while, and connections were flaky at best, however web suring was completely impossible, as was using MSN. (Well, at least I could ping google, just couldn't search for anything other than... packets? lol)

See what happens when I use windowz? I get attacked, use Linux, and I get productive! <<sigh>> it will never end....

Take care!

Dave

Actually, I think he was just trying to make 50 posts.

lol.. wad xploit is it?

yes please be specific

btw....

Vendor Status:

Microsoft has released a patch for these vulnerabilities. The patch is available at:

http://www.microsoft.com/technet/security/...in/MS04-007.asp

The tech. details are always interesting between 007, 006 thats about every pc made in the past couple years.

*smile*

looks like a really nasty screw up by microsoft again

And the countdown begins to where someone will attach a worm to this

Ah well, bring on the source code

> -----Original Message-----
> From: Marc Maiffret [mailto:mmaiffret@eeye.com]
> Sent: Tuesday, February 10, 2004 10:20 AM
> To: BUGTRAQ@securityfocus.com
> Subject: EEYE: Microsoft ASN.1 Library Length
> Overflow Heap Corruption

> Microsoft ASN.1 Library Length Overflow Heap
> Corruption
>
> Release Date:
> February 10, 2004
>
> Date Reported:
> July 25, 2003
>
> Severity:
> High (Remote Code Execution)
>
> Systems Affected:
> Microsoft Windows NT 4.0 (all versions)
> Microsoft Windows 2000 (SP3 and earlier)
> Microsoft Windows XP (all versions)
>
> Software Affected:
> Microsoft Internet Explorer
> Microsoft Outlook
> Microsoft Outlook Express
> Third-party applications that use certificates
>
> Services Affected:
> Kerberos (UDP/88)
> Microsoft IIS using SSL
> NTLMv2 authentication (TCP/135, 139, 445)

http://www.eeye.com/html/Research/Advisories/AD20040210.html
http://www.eeye.com/html/Research/Advisori...20040210-2.html

Dude we know that now how to get the patches do you have any code for this thang

I'm sure when someone has developed exploit code for this vulnerability it will be kept private for a while.

well there has anyone found the code for this "leak"?

Ahhh who said that 2004 wouldn't be a good year

i heared about it early in the morning, in every radio
so i think all administartors will patch their systems soon.

oh this could be a nice one........... Thanx for MicroSnot ........ we have to patch our servers daylly.....

Nice nice....

Hope to see a real working exploit soon...


Greetzzz to all

This exploit is not limited to blocked ports. In fact, in some instances the ISPs CANNOT block them. Like Kerberos. If they blocked that, universities nationwide would throw their hands in the air in disgust.

Any bets on what new vulnerabilities this patch is going to open?

why scanning if there is no compiled version???

Good question

Can't wait to see the exploit code, but I think lot's of isp secured the ports wich this bug is using. Publish the code, and I think lot's of ppl will update their pc

hm
I think this bug(ASN.1 Library ) is known since 6 month to microsoft.

But the code of the leak isn't public yet(i think).

If someone founds the code, I think no1 will make it public cause this would we be deadly for all windows users ^^
(hmm but sounds funny)

lol if it comes publics evryone that didnt patched there systems will be a stro or somthing else

I hope he comes before all system´s are patched

2 reasons for scanning I can think of right off the top of my head,
#1: Preparation for public POC releasal
#2: Not everyone waits for a POC, Some are able to recreate the overflow on there own.

Microsoft has been releasing patches for it frequently.. seems somethin big

Yeah.. would be very nice with that kind of exploid.. Hope it come soon

seems that everyone freaked out already..

Most of the "usefull" exploit are private first, when its almost "dead" it'll be released public.
Though, you only need one pc to get in, and lanhack the other ones.
Cause some isp's blocked it, doesnt mean u cant hack them anymore.
Microsoft released the patch lately, if this been out for 6 months .

i read that microsoft HAS known about this problem for 6 months, but their just now releasing a patch, and even tho some isp's bock those ports, some dont, and those comps will be vulnerable, which makes the sploit good, i know my isp dosen't block the 139, 445, and shit until you abuse them, and other isp's dont even care as long as you aren't scanning on those ports. personally i think if someone can get this sploit it will be very usefull for a while, there are alot of stupid/lazy people that just dont care. i mean, i can still get tons of results with regular NT sploit....

blah microsoft are so poorly foolish... i just heared that some windows source codes were leaked... its because of all the companies that work with them that need the source to be able to develope software for winblowz...

seems like a good sploit