From: Russ [Russ.Cooper@RC.ON.CA]
Sent: Friday, July 23, 1999 12:49 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Alert: IIS RDS vulnerability and fix

For those of you trying to wade through all that RFP said, here's the
short and curly of it.

1. RFP figured out that the thing Greg and I were holding back as the
fact you could make a DSN-less connection to a known .mdb file without a
DSN, UserID, or Password. This is what made Greg's discovery so much
more potentially dangerous than RFP's earlier discovery. Not to diminish
what RFP found, but the need for a known DSN + UserID + Password meant
his attack was brute force, whereas Greg's simply looked for numerous
known .mdb files in typical locations.

2. RFP has discovered a way to by-pass Customization Handlers! This
requires the presence of the;

        HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/
                W3SVC/Parameters/ADCLaunch/VbBusObj.VbBusObjCls

registry key. This is one of the 3 keys which MS recommended removing,
so if you have removed them, this new attack method will not affect you.
If you haven't removed them, then you should read RFP's message again.

Cheers,
Russ - NTBugtraq Editor