Re: [Full-Disclosure] no more public exploits

• Previous message: D B: "[Full-Disclosure] Decompression"
• In reply to: Duquette, John: "RE: [Full-Disclosure] no more public exploits"
• Next in thread: Yabby: "Re: [Full-Disclosure] no more public exploits"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Tue, 27 Apr 2004 13:36:17 -0500

On Tue, Apr 27, 2004 at 12:52:26PM -0500, Duquette, John wrote:
> That is a terrible policy to follow. If the vulnerability is real enough
> for the vendor to publish a patch, then sysadmins should patch their
> systems. Haven't all the recent worms taught people anything?

The problem is that many vendors don't publish pure security patches,
instead bundling new features with the security fix. This places
sysadmins in the position of having to evaluate the existing
vulnerability against the chance of new holes and/or broken features
in the patch.

If you're dealing with a vendor who does pure security patches, then
I agree with you. (That's why I run Debian stable - they backport
all security patches, so you know that your security upgrade is
_just_ a security upgrade.) If you're dealing with '90s-era
Microsoft, where the only security patches are bundled with dozens of
other changes and "enhancements" in a Service Pack that's liable to
break more things than it fixes, then the situation isn't so clear-
cut.

-- 
The freedoms that we enjoy presently are the most important victories of the
White Hats over the past several millennia, and it is vitally important that
we don't give them up now, only because we are frightened.
  - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: D B: "[Full-Disclosure] Decompression"
• In reply to: Duquette, John: "RE: [Full-Disclosure] no more public exploits"
• Next in thread: Yabby: "Re: [Full-Disclosure] no more public exploits"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: [Full-Disclosure] no more public exploits ... for the vendor to publish a patch, then sysadmins should patch their ... > vulnerability can really be exploited, ... (Full-Disclosure) Re: security bulletin MS01-027 ... "The MS01-020 and MS01-027 Security Patches May Not Be ... >patch or two on top of that. ... >If you are running NT4, Windows 2000, or Windows XP, an ... (microsoft.public.security) Re: Anyone know why the Alpha market is so so quiet? ... business applications with all of the monthly OS security patches. ... OS security patch breaks the kernel or an application, ... The resulting cleanup operation consumes DBA and sysadmin time at every occurrance and occurs at different intervals depending on the transaction volume of the factory - the larger the factory, ... When the application is recertified on the patched vendor software, the patch to the vendor software will be applied to the production environment in a controlled and phased manner - not before. ... (comp.os.vms) Re: Printer Issue with XP Pro ... You can find out what a given patch affects by looking up the KB reference ... Security patches are technically in a gray area. ... (microsoft.public.windowsxp.basics) Re: Patches not included in SMS 2003 SP1 software update ... >> 1) Why are they not included in Software updates? ... This doesn't look like a security patch to me, ... The patch mechanisms only include security patches. ... (microsoft.public.sms.admin)