[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Vulnerability of Critual Update

Posted on 2003-10-28
9
Medium Priority
?
332 Views
Last Modified: 2012-06-21
How would I tell if I was actually being attacked by this critical update?? Is there a way to know that the vulnerability is being hit?

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/excoct03.asp

0
Comment
Question by:NickMalloy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9637340
Look for the things it mentions in the FAQ. Though, at barely a week old it may not yet be a concern. MSBLAST for example came out several weeks after MS issued a patch.

What would this vulnerability enable an attacker to do?

The vulnerability could allow an unauthenticated attacker to exhaust large amounts of memory on the server. This could cause a state where the server would stop responding to requests. In Exchange 2000 Server, the attacker could also, in the worst case, be able to cause remote code execution.

How could an attacker exploit this vulnerability?

An unauthenticated attacker could seek to exploit this vulnerability by connecting to an SMTP port on the Exchange server and by issuing a specially-crafted extended verb request. These requests can allocate memory on the server and can cause a denial of service. In Exchange 2000 Server, it is also possible to craft the request causing the SMTP service to fail in such a way that an attacker could execute code. This could allow an attacker to take any action on the system in the security context of the SMTP service. By default, the SMTP service runs as Local System.

Can this be exploited directly by using e-mail?

No. This vulnerability could not be exploited by sending a specially-crafted e-mail message to a mailbox that is hosted on an Exchange server. An attacker would have to connect directly to the SMTP port on an Exchange server.
0
 

Author Comment

by:NickMalloy
ID: 9637397
So the only way that I could be attacked with this is by connecting to the port? So I would know if I was being attacked by if the user is using the SMTP port? Say like telneting
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9637428
Yes, that would be the most likely approach... though you can script telnet sessions.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:NickMalloy
ID: 9637511
Our mail server has slowed down in the past few days. We noticed that this critical update didn't get installed properly. We want to make sure that this vunerability isn't the cause of it. How could you tell this? I guess that is what I am trying to find out. How can I rule out this vunerability. ?
0
 
LVL 8

Accepted Solution

by:
JasonBigham earned 750 total points
ID: 9637536
Best way to rule it out... make sure the patch installs properly. This patch is so new though, I'd be inclined to look elsewhere... after applying the patch of course.

There could be numerous other (non hacker) related reasons for slowdowns... time to bust out perfmon.
0
 

Author Comment

by:NickMalloy
ID: 9637559
what is perfmon??
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9637573
Performance Monitor

0
 
LVL 10

Expert Comment

by:OneHump
ID: 9637575
046 shuts down your IMC.  047 allows code execution.  If your IMC isnt shutting down then you don't have a 046 problem.  If you having performance problems, you can run perfmon to see what applications are using your resources.  Task manager might be suggested for CPU utilization, but perfmon gives you a better view into most resources.

You first need to find out what you are having performance problems.  Once you find that out, you'll know if you have been compromised.

OneHump
0
 
LVL 35

Expert Comment

by:Bembi
ID: 9637813
Could not really understand your question, you mean, how you find out, if somebody has attacked your server using this vulnerability? Following the description, it is a "denial of service" attack or force a "buffer overrun" , means, as long as your server is still working and your memory is in a usual range, everything seems to be OK.

As this issue is a potential risk as remote code execution is possible if a buffer overrun state is reached, you should install it.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question