Mailing List Archive

Sonny,

Sorry to hear about this. Older versions of this plugin (pre 1.11) are
supposed to be safe but in some corner cases, as Omen Wild reported,
it could take down svchost.exe. We immediately worked with Omen about
this and believe that version 1.11, which was pushed in the feed
yesterday, fixes the problem for good (we're waiting for his latest
tests though).

Could you make sure that you're running version 1.11 of the plugin?
I'd advise you to go as far as doing a nessusd -R on your scanners to
make sure that you're running the very latest version.

Thanks,

-- Renaud



On Oct 30, 2008, at 8:58 AM, Discini, Sonny wrote:

> I've heard that others have run into trouble with the MS08-067
> plugins.
> Right now, we've taken down about 2,500 hosts in our environment with
> these plugins.
>
> ERROR FROM EVENT VIEWER:
> Event Type: Error
> Event Source: Application Error
> Event Category: (100)
> Event ID: 1000
> Date: 10/29/2008
> Time: 10:11:50 AM
> Description:
> Faulting application svchost.exe, version 5.1.2600.5512, faulting
> module
> netapi32.dll, version 5.1.2600.5512, fault address 0x00018ae1.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 41 70 70 6c 69 63 61 74 Applicat
> 0008: 69 6f 6e 20 46 61 69 6c ion Fail
> 0010: 75 72 65 20 20 73 76 63 ure svc
> 0018: 68 6f 73 74 2e 65 78 65 host.exe
> 0020: 20 35 2e 31 2e 32 36 30 5.1.260
> 0028: 30 2e 35 35 31 32 20 69 0.5512 i
> 0030: 6e 20 6e 65 74 61 70 69 n netapi
> 0038: 33 32 2e 64 6c 6c 20 35 32.dll 5
> 0040: 2e 31 2e 32 36 30 30 2e .1.2600.
> 0048: 35 35 31 32 20 61 74 20 5512 at
> 0050: 6f 66 66 73 65 74 20 30 offset 0
> 0058: 30 30 31 38 61 65 31 0018ae1
>
> We have the latest Security Center with the latest build of Nessus on
> RHEL 5. Our plugins are updated each night.
>
> If anyone has a solution or an expected fix date, please let me know.
>
>
> Sonny
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Odd - we never had a problem with the older pluin (commercial feed) on a couple different client's networks. Any reason why we didn't and he did? We are using the latest nessus server and client.

-Chris
(Sent from my BlackBerry)

Christopher B. Karr, CISSP
UberGuard Information Security Consulting, LLC
91 Clinton St.
Avon, NY 14414
P:(585) 226-2635
F:(585) 226-9329
C:(585) 703-9774
www.uberguard.com

----- Original Message -----
From: nessus-bounces@list.nessus.org <nessus-bounces@list.nessus.org>
To: Discini, Sonny <Sonny.Discini@montgomerycountymd.gov>
Cc: nessus@list.nessus.org <nessus@list.nessus.org>
Sent: Thu Oct 30 10:59:45 2008
Subject: Re: MS08-067 Plugins Crashing SVCHOST.EXE



Sonny,

Sorry to hear about this. Older versions of this plugin (pre 1.11) are
supposed to be safe but in some corner cases, as Omen Wild reported,
it could take down svchost.exe. We immediately worked with Omen about
this and believe that version 1.11, which was pushed in the feed
yesterday, fixes the problem for good (we're waiting for his latest
tests though).

Could you make sure that you're running version 1.11 of the plugin?
I'd advise you to go as far as doing a nessusd -R on your scanners to
make sure that you're running the very latest version.

Thanks,

-- Renaud



On Oct 30, 2008, at 8:58 AM, Discini, Sonny wrote:

> I've heard that others have run into trouble with the MS08-067
> plugins.
> Right now, we've taken down about 2,500 hosts in our environment with
> these plugins.
>
> ERROR FROM EVENT VIEWER:
> Event Type: Error
> Event Source: Application Error
> Event Category: (100)
> Event ID: 1000
> Date: 10/29/2008
> Time: 10:11:50 AM
> Description:
> Faulting application svchost.exe, version 5.1.2600.5512, faulting
> module
> netapi32.dll, version 5.1.2600.5512, fault address 0x00018ae1.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 41 70 70 6c 69 63 61 74 Applicat
> 0008: 69 6f 6e 20 46 61 69 6c ion Fail
> 0010: 75 72 65 20 20 73 76 63 ure svc
> 0018: 68 6f 73 74 2e 65 78 65 host.exe
> 0020: 20 35 2e 31 2e 32 36 30 5.1.260
> 0028: 30 2e 35 35 31 32 20 69 0.5512 i
> 0030: 6e 20 6e 65 74 61 70 69 n netapi
> 0038: 33 32 2e 64 6c 6c 20 35 32.dll 5
> 0040: 2e 31 2e 32 36 30 30 2e .1.2600.
> 0048: 35 35 31 32 20 61 74 20 5512 at
> 0050: 6f 66 66 73 65 74 20 30 offset 0
> 0058: 30 30 31 38 61 65 31 0018ae1
>
> We have the latest Security Center with the latest build of Nessus on
> RHEL 5. Our plugins are updated each night.
>
> If anyone has a solution or an expected fix date, please let me know.
>
>
> Sonny
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus