RE: Releasing patches is bad for security

• Previous message: Clint Bodungen: "Re: Releasing patches is bad for security"
• In reply to: Chris Brenton: "Releasing patches is bad for security"
• Next in thread: Pall Thayer: "Re: Releasing patches is bad for security"
• Reply: Pall Thayer: "Re: Releasing patches is bad for security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Chris Brenton'" <cbrenton@chrisbrenton.org>, <incidents@securityfocus.com>
Date: Thu, 26 Feb 2004 14:05:05 -0600

Chris Brenton wrote:

> This is just such a hoot I had to share:
> http://news.bbc.co.uk/1/hi/technology/3485972.stm
> The story quotes David Aucsmith, who is in charge of technology at
> Microsoft's security business and technology unit as stating:
>
> "We have never had vulnerabilities exploited before the patch was
> known,"

Then how did I get a copy of dcom.exe 2 days before they released the DCom
RPC patch. And it was surely in the deep underground longer than that. A
very effective exploit too, giving you a command line in 5 seconds on an
unpatched box.

I would call it less of a hoot and more like a baldface lie.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Clint Bodungen: "Re: Releasing patches is bad for security"
• In reply to: Chris Brenton: "Releasing patches is bad for security"
• Next in thread: Pall Thayer: "Re: Releasing patches is bad for security"
• Reply: Pall Thayer: "Re: Releasing patches is bad for security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]