RE: Users slam Microsoft Security Analyser

From: Stuart Fox (DSL AK) (StuartF@datacom.co.nz)
Date: 04/16/02


From: "Stuart Fox (DSL AK)" <StuartF@datacom.co.nz>
To: "'Schwartz, Stanley'" <sschwartz@stlo.smhs.com>, 'Marc Fossi' <mfossi@securityfocus.com>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Tue, 16 Apr 2002 10:20:12 +1200


>
>
> Again, before you reported it on Dec 7th, our systems were
> still vulnerable, we just didn't know it yet.

But what's your point? It doesn't matter who is writing your software, if
there's a vulnerability that's not published, you're screwed anyway (unless
you're in the very small subset of people who run open source products AND
have the expertise and familiarity with the code to fix the bug - most
people aren't). BIND had vulnerabilities in it for years - literally.

>
> I agree that a good admin will use all his/her resources to
> defend their systems. However, if it's up to admin's to fix
> or workaround all the vulnerabilities in Windows, why should
> Microsoft bother releasing hotfixes? Does Microsoft have any
> responsibility here?

Of course they should release hotfixes - for those people who choose/need to
use those features that are exploitable. The reason we weren't exploited is
because we don't use the IDQ/IDA dll's - but others will.

>
> The point is that Microsoft coded Windows with this
> vulnerability (and others, some of which we don't know of
> yet) in it, and saying that good
> admin(s) can defend against attacks isn't necessarily always true.

So what are you saying - that because there are potential vulnerabilities
that we don't know about in Windows, we shouldn't use it?

As a responsible admin, you need to ensure your systems are as secure as
possible. Sure, there will be cases where you need to rely on your vendor
(be it Microsoft, Sun whoever), but there will be plenty where you don't.



Relevant Pages

  • Re: What Is Blue Screen of Death? I Think I have it!
    ... Have discovered Welchia again on my computer. ... Thanks a million Microsoft. ... not for the vulnerabilities. ... I would estimate that if the original Windows XP ...
    (microsoft.public.windowsxp.help_and_support)
  • SecurityFocus Microsoft Newsletter #305
    ... Microsoft Office security, part one ... Microsoft Internet Explorer Multiple COM Object Color Property Denial of Service Vulnerabilities ... An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. ...
    (Focus-Microsoft)
  • Critical megapatch sews up 10 holes in IE
    ... In addition, Microsoft ... a product manager at security company Qualys. ... the five updates, the IE and Windows updates, are especially critical as ... Eight of the 10 vulnerabilities repaired by the IE update could be ...
    (comp.sys.mac.advocacy)
  • Is this a hackers trick?? **WARNING**
    ... out whether it was legit or not,,, i have norton security ... >((Microsoft Customer, ... >MS Outlook/Express as well as six new vulnerabilities, ... >malicious Web site operator to open two browser windows, ...
    (microsoft.public.security)
  • Re: Bogus Microsoft Security Announcement
    ... > I received an obviously bogus security update in the email today. ... > Microsoft Customer, ... > MS Outlook/Express as well as six new vulnerabilities, ... > malicious Web site operator to open two browser windows, ...
    (Focus-Microsoft)