Just a quick heads-up: MS02-027 cites blocking port 70 as an effective protection against exploitation of the Gopher buffer overrun in IE / ISA server / MS proxy: "Most notably, customers who block access to the Gopher protocol (TCP port 70) at the perimeter firewall would be protected against attempts to exploit this vulnerability across the Internet." This is untrue. Gopher servers can run on any port, e.g. "gopher://evilhacker.net:1234";, or why not ":80", so don't trust blocking port 70 at all. Use the other workarounds instead. (In fact, in the case of *nix servers, it's even easier for an attacker to run the fake gopher server on a high port; this way, he won't even need root priviliges.) Take care, /Mikael Olsson -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
