Anyone hear about this overdue critical 2000 vulnerability

  • Thread starter Thread starter Dan
  • Start date Start date
D

Dan

I know this is an XP newsgroup but I thought users might like to know about
this vulnerability. You can feel free to connect it to a general 2000
newsgroup or any other microsoft newsgroup that you may see fit to do.

FYI -- Windows 2000 still has a critical vulnerability as identified by
eeye.com and eeye are great because they help keep Microsoft on their toes.
The recent critical update(s) dated January 11 from Microsoft
fixed a vulnerability in 98SE, ME, 2000, XP
that this company had knowledge about for a while. This one is still out
there and
overdue for being fixed.

http://eeye.com/html/research/upcoming/index.html
http://eeye.com/html/research/upcoming/20040802-C.html
 
Dan said:
I know this is an XP newsgroup but I thought users might like to know about
this vulnerability. You can feel free to connect it to a general 2000
newsgroup or any other microsoft newsgroup that you may see fit to do.

FYI -- Windows 2000 still has a critical vulnerability as identified by
eeye.com and eeye are great because they help keep Microsoft on their toes.
The recent critical update(s) dated January 11 from Microsoft
fixed a vulnerability in 98SE, ME, 2000, XP
that this company had knowledge about for a while. This one is still out
there and
overdue for being fixed.

http://eeye.com/html/research/upcoming/index.html
http://eeye.com/html/research/upcoming/20040802-C.html
Click to expand...

That site doesn't give us much to go on, just a blurb about "Hight Severity" and "Overdue" but nothing about how the exploit works or even how to determine whether or not someone is vulnerable. When they refer to the "default installation", what does that mean? What are they talking about?

At least Secunia provides some details and even a link for users to test whether or not they're vulnerable.

carl
 
Eyee doesn't provide many details because they do not want anyone to discover
the vulnerability and exploit it until Microsoft fixes it. That is how it
was with the critical problem that was just fixed on January 11, 2004 by
Microsoft.

Dan said:
I know this is an XP newsgroup but I thought users might like to know about
this vulnerability. You can feel free to connect it to a general 2000
newsgroup or any other microsoft newsgroup that you may see fit to do.

FYI -- Windows 2000 still has a critical vulnerability as identified by
eeye.com and eeye are great because they help keep Microsoft on their toes.
The recent critical update(s) dated January 11 from Microsoft
fixed a vulnerability in 98SE, ME, 2000, XP
that this company had knowledge about for a while. This one is still out
there and
overdue for being fixed.

http://eeye.com/html/research/upcoming/index.html
http://eeye.com/html/research/upcoming/20040802-C.html
Click to expand...

That site doesn't give us much to go on, just a blurb about "Hight Severity"
and "Overdue" but nothing about how the exploit works or even how to
determine whether or not someone is vulnerable. When they refer to the
"default installation", what does that mean? What are they talking about?

At least Secunia provides some details and even a link for users to test
whether or not they're vulnerable.

carl
 
Dan said:
Eyee doesn't provide many details because they do not want anyone to discover
the vulnerability and exploit it until Microsoft fixes it. That is how it
was with the critical problem that was just fixed on January 11, 2004 by
Microsoft.
Click to expand...

And once the severity was elevated on that critical problem, Microsoft fixed it within days even though adequate security settings were already available to nuetralize the "vulnerability".

I'm sure Eyee is a great site, but I can only be a bit skeptical about this problem. They don't even talk about what could be involved, just some vague reference to "default installations of the infected software"...

What are we talking about? Default installations of Hearts? Pinball? Might we be talking about default installations of IIS 5.0? Are we talking about Windows 2000 Professional? Advanced Server?

carl
 
From the second web-link in first post --- Operating System affected is
Microsoft Windows 2000.

Dan said:
Eyee doesn't provide many details because they do not want anyone to discover
the vulnerability and exploit it until Microsoft fixes it. That is how it
was with the critical problem that was just fixed on January 11, 2004 by
Microsoft.
Click to expand...

And once the severity was elevated on that critical problem, Microsoft fixed
it within days even though adequate security settings were already available
to nuetralize the "vulnerability".

I'm sure Eyee is a great site, but I can only be a bit skeptical about this
problem. They don't even talk about what could be involved, just some vague
reference to "default installations of the infected software"...

What are we talking about? Default installations of Hearts? Pinball? Might
we be talking about default installations of IIS 5.0? Are we talking about
Windows 2000 Professional? Advanced Server?

carl
 
Dan said:
From the second web-link in first post --- Operating System affected is
Microsoft Windows 2000.
Click to expand...

And now we've come full circle... "Operating System affected: Windows 2000" is vague and now I'm convinced this "security alert" from Eeye can be safely discounted without further information.

carl
 
Well it is a vulnerability but you may think what you like.

Dan said:
From the second web-link in first post --- Operating System affected is
Microsoft Windows 2000.
Click to expand...

And now we've come full circle... "Operating System affected: Windows 2000"
is vague and now I'm convinced this "security alert" from Eeye can be safely
discounted without further information.

carl
 
Dan said:
I know this is an XP newsgroup but I thought users might like to know
about
this vulnerability. You can feel free to connect it to a general 2000
newsgroup or any other microsoft newsgroup that you may see fit to do.

FYI -- Windows 2000 still has a critical vulnerability as identified
by
eeye.com and eeye are great because they help keep Microsoft on their
toes.
The recent critical update(s) dated January 11 from Microsoft
fixed a vulnerability in 98SE, ME, 2000, XP
that this company had knowledge about for a while. This one is still
out
there and
overdue for being fixed.

http://eeye.com/html/research/upcoming/index.html
http://eeye.com/html/research/upcoming/20040802-C.html
Click to expand...


Because the "advisory" article makes no mention of WHAT is vulnerable
then it is a worthless advisory and only useful for internal tracking
purposes within Eeye. "Oh look, I found a security hole" means nothing
when we all know there will always be security holes. Was it using file
sharing and hacking in through a printer server, or yet another buffer
overflow exploit, or a "default installation" with NO updating at
Windows Update which would include a patch to fix the vulnerability, or
WHAT? Telling the FBI that there is a car filled with explosives that
is going to suicide drive into a government building does little to help
them combat the problem without SOME description of the car and which
building. Issuing vague warnings is as useful as using an Ouija board.
Describing the problem does NOT necessitate divulging the vulnerability.

Why warn anyone about an undisclosed problem since obviously you aren't
helping them in any way to avoid the problem? The problem only occurs
under certain conditions, within a particular environment, and under
specific configurations, so obviously the users could be warned about
what they could do to avoid the problem without actually detailing how
to implement the problem. Something bad is going to happen to you.
What? Not going to tell you but it's happening right now. WHAT?
Sorry, but until there is a cure, we won't tell you. You mean I have a
disease? Yes, but we're not going to tell you what it is or what it
does nor are we going to provide any information to tell you how to
mitigate its effects until someday we discover the cure. Yeah, thanks
for NOTHING except for the angst. What's the difference between the
user that had absolutely no knowledge of the advisory and another user
that has been informed of the "advisory" but it left completely in the
dark as to WHAT it advising? Angst, that's what is the difference.

If you don't have anything good to say, don't say anything. Since the
advisory is completely uninformative to users, it has nothing good to
report (by way of advising users how to avoid the purported problem).
Say I have information on how a virus could damage monitors by burning
them out but I'm not going to say anything until a cure is found. As I
recall, the purpose of providing an INF file for monitors was because,
at one time, some monitors would fry if you ran them at an unsupported
refresh rate, like 80Hz. But until manufacturers provided INF files or
altered their circuits to prevent the damage, apparently you and Eeye
believe that users should not have been given any information about how
to protect their hardware, so let users burn up the monitors while
providing a worthless advisory about an undescribed problem that can
result in destroying their hardware.

Have you ever read the descriptions of hotfixes and security updates?
Do you really believe those descriptions provide ample and clear
instructions to hackers on how to implement the security breach? Yet
they provide information regarding the environment needed to produce the
problem and how to mitigate the problem if such prevention is known.
Also, after the "cure" is found in a patch or update and describe in a
hell of lot more detail than anything disclosed by Eeye, does that mean
the problem is instantly avoided simply by the release of the patch or
update? How about all those computers that have yet to install the
update and yet, according to you and Eeye, the information disclosed by
the description of the security would incur damage to all those
unpatched hosts. If describing the problem were so horrendously an
irresponsible action then why does Microsoft provide technical details
for released patches since obviously that patch isn't instantaneously
distributed and install on every Windows platform around the world?
 
By the way, since the newly released MS05-001 bulletin which notes
"Remote Code Execution" as the vulnerability which is the same as the
ONLY information provided at the Eeye link to their "advisory" then
surely that undescribed Eeye advisory is no longer valid. Well, problem
X but not described has been fixed by a patch regarding problem X so
obviously they must refer to exactly the same means of generating
problem X. Uh huh. Doesn't look like I'll ever bother with nondescript
"advisories" from Eeye since they give me NOTHING to determine if I am
vulnerable and possibly how to avoid the purported problem.
 
Dan said:
Well it is a vulnerability but you may think what you like.
Click to expand...

Yep, and with computers running Windows Server 2003, two Windows XP Professional, Windows 2000 Professional, and Windows ME in my house, and all using Internet Explorer as the primary browser; my biggest concern and most problematic security problem has been and continues to be Sun's Java Runtime Environment.

carl
 
Please include the reply you are responding to.

--
All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com


Dan said:
Well it is a vulnerability but you may think what you like.
Click to expand...

Yep, and with computers running Windows Server 2003, two Windows XP
Professional, Windows 2000 Professional, and Windows ME in my house, and all
using Internet Explorer as the primary browser; my biggest concern and most
problematic security problem has been and continues to be Sun's Java Runtime
Environment.

carl
 
http://eeye.com/html/research/advisories/AD20050111.html

Here is the details of the critical vulnerability that was corrected in
Windows on January 11.

Dan said:
Well it is a vulnerability but you may think what you like.
Click to expand...

Yep, and with computers running Windows Server 2003, two Windows XP
Professional, Windows 2000 Professional, and Windows ME in my house, and all
using Internet Explorer as the primary browser; my biggest concern and most
problematic security problem has been and continues to be Sun's Java Runtime
Environment.

carl
 
In
Steve N. said:
FYI - I've notice some non-OE newsreaders do not retain
original text
when replying.
Click to expand...


Can you tell us which ones? I've never seen any that didn't offer
the option of quoting.
 
Ken said:
In



Can you tell us which ones? I've never seen any that didn't offer
the option of quoting.
Click to expand...

My Netscape 7.2 Mail & Newsgroups (also 7.1) has an option of quoting
but it doesn't always work; some posts the quoted text is greyed and
when I reply to such a post the greyed text is not included. If I want
it included I have to manually copy it then Paste as Quotation in my
reply. I recall another newsreader behaving similarly but can't recall
which.

Steve
 
In
Steve N. said:
My Netscape 7.2 Mail & Newsgroups (also 7.1) has an option of
quoting
but it doesn't always work; some posts the quoted text is
greyed and
when I reply to such a post the greyed text is not included. If
I want
it included I have to manually copy it then Paste as Quotation
in my
reply. I recall another newsreader behaving similarly but can't
recall
which.
Click to expand...



Thanks. I've never used Netscape, and never had to deal with a
problem like that. Nevertheless if that's the way it works, that
would be enough reason for me not to use it, at least not as a
newsreader.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Eeye Still has critical vulnerability asscociated with NT 3
REPOST, U.S. Dept. of Homeland Security urges Windows users to update their Operating Systems. 3
Concerned about Window$ 7 and security? 6
Microsoft Windows Critical Update 6
Microsoft to patch Office, Windows flaws 1
Microsoft Security Bulletin MS04-023 Vulnerability in HTML Help Could Allow Code Execution (840315) 1
Microsoft emailing security updates? 2
No fix for 'critical' hole in Windows 98, ME 4

Back
Top