Re: [Full-Disclosure] Bill Gates blames the victim
From: Florian Weimer (fw_at_deneb.enyo.de)
Date: 08/31/03
- Previous message: Kristian Hermansen: "[Full-Disclosure] DCOM/RPC story (Analogy)"
- In reply to: Richard M. Smith: "[Full-Disclosure] Bill Gates blames the victim"
- Next in thread: Peter Busser: "Re: [Full-Disclosure] Bill Gates blames the victim"
- Reply: Peter Busser: "Re: [Full-Disclosure] Bill Gates blames the victim"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Richard M. Smith" <rms@computerbytesman.com> Date: Sun, 31 Aug 2003 21:12:57 +0200
"Richard M. Smith" <rms@computerbytesman.com> quotes Mr. Gates:
> And ducking questions by blaming the victim:
>
> Q. "The buffer overrun flaw that made the Blaster worm
> possible was specifically targeted in your code reviews
> last year. Do you understand why the flaw that led to
> Blaster escaped your detection?"
>
> A. "Understand there have actually been fixes for all of
> these things before the attack took place. The challenge
> is that we've got to get the fixes to be automatically
> applied without our customers having to make a special effort."
The "all of these things" part is not correct, according to several
press reports.
| Pentagon sources last week confirmed that officials are
| investigating an apparent intrusion into at least one military
| server through a previously unknown vulnerability in Microsoft
| Corp.'s Windows 2000 operating system.
<http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79626,00.html>
| Update: In an unusual case, attackers have begun exploiting a new
| Microsoft bug before the flaw was widely known. Microsoft is urging
| sites to patch their servers as quickly as possible
|
| Microsoft warned customers on Monday that a security hole in Windows
| 2000 and the company's Web server software is allowing online
| attackers to take control of corporate servers.
|
| Because the vulnerability is being actively exploited by Internet
| vandals, Microsoft advised customers to apply a patch or use a
| workaround to defend against the attack as soon as possible. One of
| the servers attacked belonged to the US Army, according to reports.
<http://news.zdnet.co.uk/business/0,39020645,2132071,00.htm>
| A hacker last week exploited a previously unknown vulnerability in
| Microsoft Corp.'s Windows 2000 operating system to gain control of a
| military Web server, and the extent of the damage done is still
| unknown.
<http://www.fcw.com/fcw/articles/2003/0317/web-hack-03-18-03.asp>
There's still an unpatched RPC vulnerability (however, only DoS has
been publicly demonstrated so far):
<http://cert.uni-stuttgart.de/archive/bugtraq/2003/07/msg00254.html>
Of course, it's convenient to ignore such problems and declare that
regularly applied patches pave the way to secure software. But
patching is a countermeasure that is merely in vogue right now. It's
just a question of time when this approach will break in a very
obvious manner (that cannot be blamed on sloppy system administration
easily), and we have to try something different.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Kristian Hermansen: "[Full-Disclosure] DCOM/RPC story (Analogy)"
- In reply to: Richard M. Smith: "[Full-Disclosure] Bill Gates blames the victim"
- Next in thread: Peter Busser: "Re: [Full-Disclosure] Bill Gates blames the victim"
- Reply: Peter Busser: "Re: [Full-Disclosure] Bill Gates blames the victim"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
