Bugtraq mailing list archives
Re: NT RPC Hotfix
From: avalon () coombs anu edu au (Darren Reed)
Date: Fri, 24 Jan 1997 19:11:45 +1100
In some mail from Aleph One, sie said:
Microsoft just released a hotfix for the RPC vulnerability: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ hotfixes-postSP2/RPC-fix Their quick turn aroudn time leaves to shame Unix vendors that take weeks or months to provided a patch. Oh well.
The "hotfixes", I'm sure, Unix vendors can supply just as quickly, but who wants to run a "beta-fix" ? I've seen Unix vendors come out with fixes just as quick, but not very often. I've had Sun hand me back patches to test, rather timely too, when I've raised a problem under a support contract. I expect any Unix vendor would do the same if you raised a high priority call, but most of the people who bitch about it probably either don't have support or just don't lodge calls. Maybe next time you're talking to your vendor with whom you have a support contract you should mention that if Microsoft can provide bug fixes so quickly why can't they. Heck, you might even get somewhere and they might decide to lift their game if they realise they realise their profits are under threat. I've seen the source of the problem which Unix sys admins are left to deal with and it's usually their bosses or others or purchasing officers who don't ever consider security (and attention to it in the form of providing timely updates to deal with issues raised on the 'net) when drafting purchase orders or tender requirements. When root directories are world writable, shell scripts are written (running as root) that create files in /tmp (mode 666) and so on, do you think anyone cares how secure the version of Unix they buy is ? Doesn't everyone know about the ~+~ story for SunOS4 and 4.1.4 ? It was put back in /etc/hosts.equiv for distribution because of customer demand after it was removed for 4.1.3(_U1 ?). Darren
Current thread:
- NT RPC Hotfix Aleph One (Jan 23)
- Re: NT RPC Hotfix dsiebert () icaen uiowa edu (Jan 23)
- AOL client port and possible security risk. Sami A. Yousif (Jan 23)
- Re: NT RPC Hotfix Darren Reed (Jan 24)
- <Possible follow-ups>
- Re: NT RPC Hotfix Brad.Powell (Jan 24)
- Re: NT RPC Hotfix Yuri Volobuev (Jan 24)
- GNU tar vulnerability Ben Elliston (Jan 24)
- [NTSEC] NT vulnerable to DOS attack on more than just port 135 Bob Beck (Jan 25)