Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins
From: Brett Hill (brett_at_IISANSWERS.COM)
Date: 06/04/04
- Previous message: Sam _at_ ProData: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
- In reply to: Russ: "Russ Cooper's AusCERT Presentation on MS Security Bulletins"
- Next in thread: Ken Schaefer: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Jun 2004 21:58:02 -0600 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Russ,
A very interesting set of studies and conclusions, albeit, I think somewhat
misleading and potentially dangerously so. You state early on that you did
not consider important factors such as exploitability and severity. Yet
later, make statements like "IIS 6.0 boxes were 11% less vulnerable than W2K
IIS 5.0 servers". I don't know how you can effectively evaluate
vulnerability if you don't consider exploitability and severity. Not all
vulnerabilities are created equal so simply adding them up, while
interesting, does not merit your conclusion, IMO.
Since you aren't considering severity or exploitability, any assessment of
the effectiveness of the results of Microsoft's security push that is based
on the number of hotfixes only, is not informed well enough to bring to
focus a question like: "whether or not an 11% reduction in the vulnerability
of W2K3 represented a start to Microsoft's Security Push." IMO, you simply
don't have the data on the table to make that assessment. Furthermore,
posing a thesis like this based on raw numbers could arguably motivate
Microsoft to release non-severe patches less often.
The statement "if you configured any IIS box the way W2K3 IIS 6.0 was
configured and you'd get roughly the same security.", has some merit, but
yet you don't then dismiss the IIS 5 vulnerabilities as largely a matter of
misconfiguration. I would argue, though, that even if you made IIS 6 more
permissive in it's default installation, it would be far more secure than an
IIS 5 server due to improvements in parsing, process identity not being
system, etc. I'd also be interested in what you've counted as an IIS 6
vulnerability. Sometimes, IIS is not the problem, but is the vector. An
important but often overlooked distinction.
Finally, the idea that if you're not at 100% you're worse off than 90%
doesn't obviously make sense. Clearly, it would be better to have 90 SQL
servers not vulnerable than 100 infected servers, so if you could explain
the rationale behind your conclusion, that would be appreciated.
Thanks,
Brett Hill
IIS MVP
IISanswers.com/IISFAQ.com
-----
Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
identify and fix all PC's that are exposed to the Sasser worm! Our
solution provides quick and seamless discovery and deployment of all your
PC computer's Microsoft security patching needs. Regardless of where
you're PC's reside (inside the LAN, at home or on the road), Patch
Automation gets the job done. Contact us to learn about our free 30-day
trial version at 800-344-1150 or visit our website at
<http://www.patchautomation.com>
-----
- Previous message: Sam _at_ ProData: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
- In reply to: Russ: "Russ Cooper's AusCERT Presentation on MS Security Bulletins"
- Next in thread: Ken Schaefer: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
