Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Full analysis of the .ida

From: mardy.hutchinson () netaxis ca
Date: Fri, 20 Jul 2001 14:34:55 -0400 (EDT)



  This is hogwash.

  When Microsoft issued the bulletin, it was quite clear that it
was to fix an Index Server problem.  

  Since we, among others, had not been running the Index Server because 
of its historical security flaws, the patch did not appear to be
required.  You don't blindly apply patches that have no apparent
bearing on your system -- it may break other things.

  Surprise!  It was.

  This was truly a misleading security release.  In effect, there was
no notification.  You can't expect harried sysadmins to read between 
the lines.  Even Microsoft themselves did not feel the need to apply 
the patch to some servers, probably for much the same reasons.

-- Mardy






This DOES raise some pretty fundamental questions about the security of
all the infrastructure, because, in theory the compromised servers
_could_ have been exploited more extensively and _could_ be delivering
nastily compromised stuff around. I have no reason to believe it has
happened, but still...


<soapbox>
I have to disagree.  Microsoft released a patch for this issue on 6/18/2001.
Here we are, a tad over a month later, and the issue is being exploited en
masse.  This calls to question the attention of systems administrators to
their networks.  The days of selective application of security patches are
long since over.  IMHO, systems affected by this recent outbreak are being
administered by techs that need to pay closer attention to their
installations and keeping them up to date.

As the world reliance on computer systems continues to increase, it become
more and more imperative that people learn these are not simply toasters
that sit on the kitchen counter.  Regular maintenance and attention is
required and an irresponsible or ignorant attitude towards these things is
the true threat to the infrastructure.  The only security issue here is the
human element as always.  Microsoft has already come up with a tool that
automagically notifies users/admins of the need to update their system
within moments of a patch being released.  What should they do next --
auto-patch the systems for the user/admin to ensure the security of the
infrastructure?  Maybe the user/admin needs to learn about that toaster on
the countertop.
</soapbox>

James
Previous By Date Next
Previous By Thread Next

Current thread: