Re: [inbox] Re: [Full-Disclosure] 3 new MS patches next week... but none fix

From: Tim (tim-security_at_sentinelchicken.org)
Date: 01/10/04

  • Next message: Gadi Evron: "[Full-Disclosure] [Fwd: [TH-research] OT: Israeli Post Office break-in]" 
    To: Exibar <exibar@thelair.com>
Date: Sat, 10 Jan 2004 09:35:09 -0800

    > It's not that Microsoft doesn't have a clue, they do. We are getting
    > regular patches for holes that are found are we not? If they didn't have a
    > clue, we would have yearly patches or none at all. Ok, there may be some
    > holes that aren't patched yet, but I'm sure they're working on them and
    > they're coming. Some patches just have to take precedence over others.

    No. Microsoft blatantly ignores many vulnerabilities. Come this next
    round of patches, they will have ignored the %00/%01 IE hole for well
    over a month. No notice to customers, no workarounds, nothing.

    How long did the IE Certificate vulnerability sit on Thor's site before
    it was finally patched in all versions of windows? 2 years? 3?

    > I've seen quite a few vulnerabilities come across this list in this past
    > week, not many have vendor fixes yet either. This is not a Microsoft
    > exclusive problem. We need a better way to patch systems, ALL systems.

    Of course. A lot of vendors suck. But some have it (almost) figured out.

    > I've said it once on another list, and I'll say it here, we need a sort
    > of "patching server" that is on an isolated subnet. When a machine first
    > connects to the network, it gets an IP address and is only allowed to talk
    > to the patching server(s). Once the patching servers (for ALL OS's mind
    > you) determine that the machine is up to date with it's patches, then and
    > only then is it allowed to connect to the production network.

    Ok, that's fine and all, until you run across the next M$ patch that
    rolls "feature" changes into the bugfix patch, and they happen to break
    your custom application. Or until you try to roll a patch out that
    accidentally rolls BACK some of your other DLLs to an old, vulnerable
    version. *cough slammer cough*

    So, here are two rules a patching system should follow:

    1. All patches regression tested against all previous vulnerabilities.
    2. Never roll any functionality changes along with security fixes.

    I am sure there are others to follow, but I can't think of them right now.

    > Let me ask this question, if you were running a company with 30,000 LINUX
    > boxes. How would you patch all of them? Don't a lot of Linux patches
    > require a re-build of the kernel?

    NO. The vast majority of vulnerability patches do not require any
    rebuild of the kernel, which means you don't even have to reboot.

    How I run a secure server? Debian stable. To patch:

    # apt-get update
    # apt-get upgrade

    DONE.

    Many other Linux distributions have similar sets of commands that are
    just as easy, and you don't have to buy 3rd party software to make it
    work.

    Oh, and if you want to patch ALL of your 30000 systems, just install
    your public SSH key on each of the when you build them, and:

    for S in `cat servers.txt`; do
    { ssh root@$S "apt-get update; apt-get upgrade"; }
    done;

    or something to that effect.

    tim

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Gadi Evron: "[Full-Disclosure] [Fwd: [TH-research] OT: Israeli Post Office break-in]"

    Relevant Pages

    • 9_Recommended error codes (specifically return code 5)
      ... * "return code 2" indicates patches are already installed. ... * "return code 25" means a patches requires another patch that is not yet installed. ... With or without using the save option, the patch installation process ... Installing 114008-01... ...
      (SunManagers)
    • Re: Learning process
      ... a million users on Windows would be ... Most of the patches are fixes for problems in security and a lot of ... pile of games or the SQL blaster which required 2 patchs - patch 1, ... holes *aren't* patched almost immediately. ...
      (alt.comp.lang.learn.c-cpp)
    • Re: Which Router for VPN and Webhosting
      ... > hats find the vulnerabilities before the white hats do. ... > seem to get most of their holes patched before the exploits hit the net. ... patches. ... who took a one-year "web programming" course, ...
      (comp.security.firewalls)
    • Re: Which Router for VPN and Webhosting
      ... > hats find the vulnerabilities before the white hats do. ... > seem to get most of their holes patched before the exploits hit the net. ... patches. ... who took a one-year "web programming" course, ...
      (alt.computer.security)
    • Re: [Full-disclosure] Getting Off the Patch
      ... patch a piece of software. ... patching is just a small part of the solution. ... One of the things with patches is, that people have an urge to apply them. ... who want audit verification of how vulnerabilities are being mitigated. ...
      (Full-Disclosure)