Network Security Blog

I haven’t heard of any active viruses out there using the latest SSL vulnerability in IIS, but there is an exploit tool, and it is apparently being used. Microsoft is taking this one seriously, to the point that they are calling people directly to tell them to patch. Or at least that’s what one comment I received says. I’ve never heard of Microsoft calling an admin to patch their systems, but there’s a first for everything. I’m not sure if I like that. If they start emailing patches to people, I’ll be really concerned; I’ve always told my users to delete any email coming from Microsoft with attachments, since MS doesn’t do that. Oh well, I’ll burn that bridge when I come to it.

One of the (many) mailing lists I subscribe to is the Snort Signature list. Yesterday a signature for the SSL exploit was posted, by … I’m not sure who; the email is replied and forwarded, making identification difficult. If this is your Snort signature, let me know and I’ll post the credit. In any case, here’s the signature, which I haven’t tested yet. Your mileage may vary. If you have a better or different signature, let m e know.

alert tcp any any -> $HOME_NET 443 (msg:”MS04-011 SSL exploit (THCIISSLame by Johnny Cyberpunk)”; sid:900034;content:”|54 48 43 4F 57 4E 5A 49 49 53 21 32 5E BE 98|”;within:36;)