Re: Releasing patches is bad for security
From: Pall Thayer (pall_at_fa.is)
Date: 02/26/04
- Previous message: Gary Nichols: "RE: Releasing patches is bad for security"
- In reply to: Curt Purdy: "RE: Releasing patches is bad for security"
- Next in thread: mgotts_at_2roads.com: "Re: Releasing patches is bad for security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Curt Purdy" <purdy@tecman.com>, "'Chris Brenton'" <cbrenton@chrisbrenton.org>, <incidents@securityfocus.com> Date: Thu, 26 Feb 2004 21:43:35 -0000
According to slashdot he also said "I can only think of one time that a
vulnerability was exploited before a patch was issued." Apparently he said
this shortly after saying "We have never had vulnerabilities exploited
before the patch was known."
Pall Thayer
artist/teacher
Fjolbrautaskolinn vid Armula
http://www.this.is/pallit
http://www.this.is/pallit/isjs
http://www.this.is/pallit/harmony
http://130.208.220.190/panse
----- Original Message -----
From: "Curt Purdy" <purdy@tecman.com>
To: "'Chris Brenton'" <cbrenton@chrisbrenton.org>;
<incidents@securityfocus.com>
Sent: Thursday, February 26, 2004 8:05 PM
Subject: RE: Releasing patches is bad for security
> Chris Brenton wrote:
>
> > This is just such a hoot I had to share:
> > http://news.bbc.co.uk/1/hi/technology/3485972.stm
> > The story quotes David Aucsmith, who is in charge of technology at
> > Microsoft's security business and technology unit as stating:
> >
> > "We have never had vulnerabilities exploited before the patch was
> > known,"
>
> Then how did I get a copy of dcom.exe 2 days before they released the DCom
> RPC patch. And it was surely in the deep underground longer than that. A
> very effective exploit too, giving you a command line in 5 seconds on an
> unpatched box.
>
> I would call it less of a hoot and more like a baldface lie.
>
> Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
> Information Security Engineer
> DP Solutions
>
> ----------------------------------------
>
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked.
> -- White House cybersecurity adviser Richard Clarke
>
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
-- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Gary Nichols: "RE: Releasing patches is bad for security"
- In reply to: Curt Purdy: "RE: Releasing patches is bad for security"
- Next in thread: mgotts_at_2roads.com: "Re: Releasing patches is bad for security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
