Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Old Vulnerabilities Can Still Haunt You

Published: 2007-07-19
Last Updated: 2007-07-19 16:07:11 UTC
by Chris Carboni (Version: 1)
0 comment(s)

Andrew writes in to say ..

"It just goes to show that old vulnerabilities can still be effective. I recently ran across a site that our IDS detected via the ANI exploit.

http://ww.xx.yyy.zz    /oth/ms07-017.ani

http://ww.xx.yyy.zz    /oth/ms07-017.php

One of our machines accessed this site and got exploited, but they had the MS07-017 patch. Very strange. After de-obfuscating the javascript to see what exploits it uses, it turns out the site goes after MS03-011, MS06-014 and MS07-017. The system was patched for the two newer exploits, but not for the old Microsoft JVM vulnerability.

To make things worse, the site drops ntos.exe, which contains rootkit functionality. At least the binary is fairly well detected by AV vendors.

Depending on how security savvy your organization is, legacy issues can slip by for years.

If you think you're patched to current, how do you know for sure?

An occasional scan (using MBSA for example) will show you any missing patches.  In a perfect world, every system would be able to always be patched to current but if you are one of the people who can't deploy certain patches because it will break critical business functionality, these reports will be the start of the paper trail you will want for your audits showing why they can't be patched.

0 comment(s)

Microsoft Security Contact Pages

Published: 2007-07-19
Last Updated: 2007-07-19 03:05:50 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

In an earlier diary, we included a link to Microsoft's security web site that did not work.  Based on input from our readers we updated the link to one that seemed to work.  Microsoft told us today that there are two more URLs they would prefer that you use:

For home users:

For IT professionals:

In both cases, on right hand side there is a phone icon.  Under it is the "select your region" link (if the region is wrong).  For each region it links to the proper phone numbers for that region.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 comment(s)
Diary Archives