Re: Towards a responsible vulnerability process
From: Steven Healey (shealey@SWANSTONE.COM)Date: 11/04/01
- Previous message: David LeBlanc: "Re: Towards a responsible vulnerability process"
- Maybe in reply to: David LeBlanc: "Towards a responsible vulnerability process"
- Next in thread: Ernst Lopes Cardozo: "Re: Towards a responsible vulnerability process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <50DD64DF6AD6804C90C14698EEC704A102AA@crpmail> Date: Sun, 4 Nov 2001 14:59:10 -0600 From: Steven Healey <shealey@SWANSTONE.COM> Subject: Re: Towards a responsible vulnerability process To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Typically there is also another step, somewhere among 3, 4, and 5:
N. Does the patch break any mission-critical applications?
Due to the design of many existing systems (and NT is not the only one, but
it does appear to be one of the worst for this behaviour), installing an
"operating system patch" can cause an application to fail. If this is an
enterprise or mission-critical application, the consequences of the failure
can be disasterous for the organization.
This hits hardest in midrange applications. While SAP et. al. may monitor
vendor patches, test, and get application patches out the door quickly,
small- and mid-sized vendors often do not. In some cases they don't
consider it important, in some cases they don't have the resources. So the
application user is left with the dilemma: Patch and secure the OS,
crashing the app? Or keep the app up and take the risk of a compromise?
Or disconnect from the Internet entirely, which is an option I have heard
discussed quite a bit in the last 6 months.
Unfortunately, small- and mid-sized organizations are often locked into
their applications. And such organizations often do not have the resources
to handle these problems themselves. They try to outsource and/or use
consultants, but those approaches have their own problems.
Having working with midrange implementations over the last 6 years, I am at
my wits end as to how to handle this situation.
Steven Healey
-----Original Message-----
From: Kirk Corey [mailto:kirk.corey@NEXIQ.COM]
Sent: Sunday, November 04, 2001 11:17 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Towards a responsible vulnerability process
In his article, Scott Culp makes the following statement: "Providing a
recipe for exploiting a vulnerability doesn't aid administrators in
protecting their networks." This statement, and some of the conclusions
based upon it, are incorrect.
When a vulnerability is announced, a system administrator may ask the
following questions:
1. Is my system vulnerable? (If it ain't broke....)
2. If so, should I attempt a workaround?
3. If so, and I configure a workaround, has the workaround now indeed
protected my system against the vulnerability? Or did I make a mistake
somewhere, or misunderstand some part of the advisory, or (fill in the
blank)?
4. Or should I apply the patch?
5. If so, and I do, has the application of the patch protected the system
against the vulnerability? Or is there perhaps something unique to my
configuration that causes the application of the patch to fail without
warning, or to succeed in application, but still fail to protect me against
the vulnerability? (Perhaps I need the workaround after all.)
[...]
Kirk Corey
[...]
*** END ***
- Previous message: David LeBlanc: "Re: Towards a responsible vulnerability process"
- Maybe in reply to: David LeBlanc: "Towards a responsible vulnerability process"
- Next in thread: Ernst Lopes Cardozo: "Re: Towards a responsible vulnerability process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
