[unisog] Scanner for MS03-049?

Russell Fulton r.fulton at auckland.ac.nz
Wed Nov 19 21:44:54 GMT 2003

On Thu, 2003-11-20 at 07:56, Rodrigues, Philip wrote:

> If you try to various exploits that exist for this issue, you will
> actually notice that network-wise, patched systems will issue the
> *exact* same response as unpatched ones, mostly because the overflow
> occurs later on.

Hmmm... I wonder if MS would be prepared (for future vulnerabilities
like this) to try and change something non critical in the response of
patched system so that one can easily tell if the system has been

>From my point of view it is vital that I can tell if machines are
vulnerable from the network and without admin rights on the box.  I have
similar beefs with Linux distros which patch network services but don't
change the banners.

I don't care if it makes the crackers life easier, crackers can use real
exploits to see if a system is patched, I can't.

Hmmm... now that's a thought!  When we move to using 802.1x
authentication for all network connections we display a banner:

     You are about to connect to the University of Auckland Network.

Only authorised users on fully patched system may connect to the
network. If your machine has any known vulnerabilities then our testing
procedures may compromise your machine and  this may cause serious
damage to your system.  You connect to our network at your own risk, we
reserve the right to use destructive test to ensure your machine is not
a threat to our network.


Then kick the stuffing out of anything that connects!


Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

More information about the unisog mailing list