Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Releasing patches is bad for security

From: "Curt Purdy" <purdy () tecman com>
Date: Thu, 26 Feb 2004 14:05:05 -0600
Chris Brenton wrote:


This is just such a hoot I had to share:
http://news.bbc.co.uk/1/hi/technology/3485972.stm
The story quotes David Aucsmith, who is in charge of technology at
Microsoft's security business and technology unit as stating:

"We have never had vulnerabilities exploited before the patch was
known,"


Then how did I get a copy of dcom.exe 2 days before they released the DCom
RPC patch.  And it was surely in the deep underground longer than that.  A
very effective exploit too, giving you a command line in 5 seconds on an
unpatched box.

I would call it less of a hoot and more like a baldface lie.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: