Security Incidents mailing list archives

RE: Microsoft's Early Xmas Present.

From: H C <keydet89 () yahoo com>
Date: Thu, 3 Jan 2002 08:59:03 -0800 (PST)

One thing that irritates me is the notion that "the
patch has been out for x
months and companies should be patched."


I would have to agree.  I have conducted assessments
at enough locations to know that simply arbitrary
installing a patch can do more harm than good.  And
not all organizations have the staff, technical
know-how, or hardware to test out patches.

However, I do think that more should be done by
individual organizations to come up with *some* means
of dealing with these issues.  Yes, Microsoft has done
quite a bit with their products to make them a
management and administrative nightmare, but I am also
quite sick of hearing the excuse that organizations
aren't subscribing to the Security Bulletins b/c there
are just too many to deal with.  It doesn't take much
more than a few seconds to see if the issue affects
you at all...if you use Eudora, then an OutLook
vulnerability won't be an issue, will it?

Arbitrarily installing every patch that comes out
isn't the answer.  But neither is doing nothing.  Do
router/firewall ACLs need to be updated?  What about
IDS signatures?

Should admin's be dilligent in patching? 
Absolutely.  Laziness is really
the only reason for not working on patches. 
However, keep in mind that
while a shop with 20 servers can be patched
carefully in a week or less, a
shop with 300 can take significantly more time.


I agree.  However, look at Code Red...had admins
followed the simple tenet of not allowing unnecessary
services or functionality, the ida/idq script mappings
would have been disabled during or following
installation, and the systems would not have been
vulnerable.  Many of the affected systems didn't even
require the functionality.  Same is true for the older
.htr issue.  

Being diligent w/ patches is certainly something
important, but it's far more important to be diligent
w/ issues.  Default installations of products...any
products...are going to come back and bite you in the
butt.  


__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Microsoft's Early Xmas Present. Devdas Bhagat (Jan 02)
- Re: Microsoft's Early Xmas Present. Steve Stearns (Jan 02)
  - Re: Microsoft's Early Xmas Present. John Sage (Jan 03)
    - Re: Microsoft's Early Xmas Present. Brett Glass (Jan 03)
- <Possible follow-ups>
- Re: Microsoft's Early Xmas Present. David Kennedy CISSP (Jan 03)
  - Re: Microsoft's Early Xmas Present. Ryan Russell (Jan 03)
- RE: Microsoft's Early Xmas Present. Cloppert, Michael (Jan 03)
  - RE: Microsoft's Early Xmas Present. H C (Jan 03)
    - Re: Microsoft's Early Xmas Present. Valdis . Kletnieks (Jan 03)
    - RE: Microsoft's Early Xmas Present. Eric Jon Rostetter (Jan 03)
    - RE: Microsoft's Early Xmas Present. H C (Jan 03)