Re: [Full-Disclosure] Re: Microsoft Security, baby steps ?

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 03/17/04

  • Next message: bugzilla_at_redhat.com: "[Full-Disclosure] [RHSA-2004:121-01] Updated OpenSSL packages fix vulnerabilities" 
    To: full-disclosure@lists.netsys.com
Date: Thu, 18 Mar 2004 10:48:13 +1300

    Luke Scharf <lscharf@aoe.vt.edu> wrote:

    <<big snip>>
    > I've been a lot better about this lately, but I still think it's kind of
    > absurd that I can't plug a freshly rebuilt Windows XP machine into the
    > network. You'd think that Microsoft would at least make an official
    > release of Windows XP.1 or something like that to address this totally
    > absurd problem with their software.

    Heck -- a (comprehensive!) set of .REG files could probably be provided
    to harden a machine "enough" (disable all the "on by default but
    completely unnecessary on 99.997% of machines" services, set a few
    policies regarding protocol/interface bindings, etc) to make it "safe
    to venture onto the Internet and go straight to Windows Update.

    Odd that a company that supposedly has now developed a serious interest
    in security has not done this, but has found the time and staffing to
    produce, test, manufacture and distribute an at least six month out-of-
    date "patch CD"... (Not that the patch CD is bad thing, but it
    provides an interesting observation of the actual priorities despite
    Billy Boy's proclamation that security issues were to take precedence
    over features.)

    Regards,

    Nick FitzGerald

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: bugzilla_at_redhat.com: "[Full-Disclosure] [RHSA-2004:121-01] Updated OpenSSL packages fix vulnerabilities"

    Relevant Pages

    • Using Windows Update "SteppingMode" to grab patches and see silen t install switches.
      ... > I have received numerous messages about these two Security ... > Bulletins. ... Having the patch only be available on Windows Update is highly annoying ...
      (NT-Bugtraq)
    • RE: IIS on 443 replaced by serv-u
      ... It sounds like your system was compromised before installing the patch. ... More information on creating slip-streamed installs of Windows can ... Download the Security Patch Management Guide: ... It's important to not that not all security patches are offered by the ...
      (microsoft.public.inetserver.iis.security)
    • MS02-065 patch download
      ... Tell me where to download the said patch please! ... What You Should Know About Microsoft Security Bulletin ... Anyone using Microsoft Windows 2000, Windows Me, Windows ...
      (microsoft.public.security)
    • Just Released! Official Microsoft Security Update (KB12919)
      ... Microsoft Security Bulletin MS06-001 ... Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution ... Security Update for Windows XP ... | I plan on rolling this patch out to my organizaton and wanted to know if this ...
      (microsoft.public.windowsupdate)
    • Re: MS02-065 patch download
      ... >The following patch can be installed on all affected ... >> What You Should Know About Microsoft Security Bulletin ... >> Anyone using Microsoft Windows 2000, Windows Me, Windows ...
      (microsoft.public.security)