Potential Microsoft PCT worm (MS04-011) A revised exploit has been released for the PCT flaw in the last 24-hrs by THC (THCIISSLame.c). For the last few hours we have also been receiving uncorroborated anecdotal evidence from reliable sources that a working worm is being trialled on the Internet, in preparation for imminent release. The primary concern is that this flaw affects unpatched SSL enabled IIS servers, which could potentially be thousands of hosts. The official Microsoft patch (MS04-011) is strongly recommended for immediate application. However, for some organisations, change control and software dependency testing have meant that there has not been enough time to test and apply the patch widely. Additionally there have been reports of some organisations experiencing reliability issues after applying this patch, and so they have halted the rollout. As time is of the essence, an alternative to applying the patch is available by disabling PCT. This option has been tested by Corsaire with the THC exploit on Microsoft Windows 2000 SP4 IIS only (but we have no reason to doubt that this approach will work just as well on the alternative MS platforms). There is a Microsoft knowledgebase article that describes the full process. Be sure to follow the instructions to the letter, otherwise there is the risk that you will still be exposed: http://support.microsoft.com/default.aspx?scid=kb;en-us;187498 -- Background -- Microsoft Security Bulletin MS04-011 (Microsoft) Microsoft http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx -- Distribution -- This security advisory may be freely distributed, provided that it remains unaltered and in its original form. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. Copyright 2004 Corsaire Limited. All rights reserved.
