RE: Users slam Microsoft Security Analyser

From: Schwartz, Stanley (sschwartz@stlo.smhs.com)
Date: 04/15/02 

From: "Schwartz, Stanley" <sschwartz@stlo.smhs.com>
To: 'Marc Fossi' <mfossi@securityfocus.com>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Mon, 15 Apr 2002 16:10:41 -0500

Again, before you reported it on Dec 7th, our systems were still vulnerable,
we just didn't know it yet.

I agree that a good admin will use all his/her resources to defend their
systems. However, if it's up to admin's to fix or workaround all the
vulnerabilities in Windows, why should Microsoft bother releasing hotfixes?
Does Microsoft have any responsibility here?

The point is that Microsoft coded Windows with this vulnerability (and
others, some of which we don't know of yet) in it, and saying that good
admin(s) can defend against attacks isn't necessarily always true.

Stan :)

-----Original Message-----
From: Marc Fossi [mailto:mfossi@securityfocus.com]
Sent: Monday, April 15, 2002 3:50 PM
To: Schwartz, Stanley
Cc: Focus-MS
Subject: RE: Users slam Microsoft Security Analyser

On Mon, 15 Apr 2002, Schwartz, Stanley wrote:

<snip>
> Example (read as content): Did you know your Active Directory domain
> was susceptible to that Group Policy vulnerability before the alert
> came out (which was listed on one of the pages I referenced)?
> Ignorance IS bliss....ain't it?
<snip>

http://online.securityfocus.com/bid/4438

This was a known issue for a while before MS patched it. It was reported by
3APA3A to Bugtraq on Dec. 7, 2001
(http://online.securityfocus.com/archive/1/244329).

The key here is not just to wait for MS to tell you that something is
broken, but to monitor lists like Bugtraq for new vulnerability
announcements. There are some vulnerabilities that were announced on
Bugtraq months ago that MS still has not addressed. The good thing is that
usually a lot of people from the community will make suggestions for
workarounds for these issues until MS gets around to patching it.

As a responsible admin, the onus is on you to make use of all the available
resources.

Cheers,

Marc Fossi, MCSE
SecurityFocus
www.securityfocus.com

Relevant Pages

  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #83
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft IIS CodeBrws.ASP Source Code Disclosure Vulnerability ... Microsoft Internet Explorer History List Script Injection ... Microsoft Windows 2000 Lanman Denial of Service Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #81
    ... MICROSOFT VULNERABILITY SUMMARY ... WWWIsis Remote Command Execution Vulnerability ... Windows NT 4.0 Print Spooler Security ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #185
    ... NEW MICROSOFT VULNERABILITIES - Audit Your Network Security ... SurgeLDAP User.CGI Directory Traversal Vulnerability ... Microsoft Windows H.323 Remote Buffer Overflow Vulnerability ... Microsoft Jet Database Engine Remote Code Execution Vulnerab... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #336
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Unspecified Remote Code Execution Vulnerability ... Microsoft Windows Explorer BMP Image Denial of Service Vulnerability ... An attacker could leverage this issue to have arbitrary code execute with kernel level privileges. ...
    (Focus-Microsoft)