RE: exploit to vulnerability

From: Murad Talukdar (talukdar_m_at_subway.com)
Date: 08/22/05

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #253"
    Date: Mon, 22 Aug 2005 13:59:50 +1000
    To: 'Murad Talukdar' <talukdar_m@subway.com>, focus-ms@securityfocus.com
    
    

    Just saw this in Jose Nazario's interview on securityfocus;

    >> There's also the issue of time. Downloading a 200MB file means being
    online and vulnerable for minutes (or hours). What about an attack or a worm
    in this timeframe?

    An efficient patch can be distributed in a matter of a hours to days. With
    only one exception (the Witty worm), no worm has ever been constructed and
    deployed that fast. The time frame between a worm's release and the
    disclosure of the vulnerability that the worm uses is, on average, about 4
    weeks.

    I guess the window, on average, is bigger than I thought, however, the top
    end of the exploit bell curve may well mean 0-day(or close enough) for a
    few. And as we all know, that one which gets in could be the one that does
    enough damage. So I would certainly like to use that scale in my 'lead time'
    rather than say, 'What me worry? I've got (on average) four weeks.'

    -----Original Message-----
    From: Murad Talukdar [mailto:talukdar_m@subway.com]
    Sent: Friday, August 19, 2005 4:11 PM
    To: focus-ms@securityfocus.com
    Subject: exploit to vulnerability

    With all the issues highlighting the speed that exploits are now being
    written (eg http://www.securityfocus.com/news/11285 )
    The window between exploit/vuln, appears on average, to be getting tighter.

    We have an SME network and I used to have a week or so to test patches
    before rolling them out.
    This all begs the question now, with limited resources, do I just patch and
    not worry about testing? I definitely have fewer resources than some of the
    companies that were hit (CNN et al) and less time to dedicate to patching.

    Should I just use auto updates/GP to patch everything regardless?
    What do other SME admins do?

    Kind Regards
    Murad Talukdar

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #253"

    Relevant Pages

    • Re: Will patch fix an already affected computer
      ... The patch will fix the vulnerability, but won't remove the worm. ... Windows XP, Windows 2000, Windows Server 2003, Windows NT ...
      (microsoft.public.security)
    • Re: Help on install of service pak4
      ... >How do I patch my system for vulnerability when the patch will not ... > CRC errors indicate bad media or something wrong with the drive or it's ... > Be aware that removing the worm without first patching the vulnerability ...
      (microsoft.public.win2000.general)
    • Nimda Worm Alert
      ... A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept ... It utilizes multiple IIS ... Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability ...
      (Incidents)
    • Nimda Worm Alert
      ... A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept ... It utilizes multiple IIS ... Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability ...
      (Focus-IDS)
    • CERT Advisory CA-2001-23
      ... We believe the worm will begin propagating again on ... susceptible to the vulnerability described in CA-2001-13 Buffer ... time required to infect all vulnerable IIS servers with this worm ... and egress filtering should be implemented at the network edge. ...
      (Cert)