RE: Users slam Microsoft Security Analyser

From: Stuart Fox (DSL AK) (
Date: 04/16/02

From: "Stuart Fox (DSL AK)" <>
To: "'Schwartz, Stanley'" <>, 'Marc Fossi' <>, "''" <>
Date: Tue, 16 Apr 2002 10:20:12 +1200

> Again, before you reported it on Dec 7th, our systems were
> still vulnerable, we just didn't know it yet.

But what's your point? It doesn't matter who is writing your software, if
there's a vulnerability that's not published, you're screwed anyway (unless
you're in the very small subset of people who run open source products AND
have the expertise and familiarity with the code to fix the bug - most
people aren't). BIND had vulnerabilities in it for years - literally.

> I agree that a good admin will use all his/her resources to
> defend their systems. However, if it's up to admin's to fix
> or workaround all the vulnerabilities in Windows, why should
> Microsoft bother releasing hotfixes? Does Microsoft have any
> responsibility here?

Of course they should release hotfixes - for those people who choose/need to
use those features that are exploitable. The reason we weren't exploited is
because we don't use the IDQ/IDA dll's - but others will.

> The point is that Microsoft coded Windows with this
> vulnerability (and others, some of which we don't know of
> yet) in it, and saying that good
> admin(s) can defend against attacks isn't necessarily always true.

So what are you saying - that because there are potential vulnerabilities
that we don't know about in Windows, we shouldn't use it?

As a responsible admin, you need to ensure your systems are as secure as
possible. Sure, there will be cases where you need to rely on your vendor
(be it Microsoft, Sun whoever), but there will be plenty where you don't.