RE: Security holes aren't being filled

[InfoSec News <isn () c4i org>]

Forwarded from: elizabeth.lee.contractor () fnmoc navy mil

I submit that it is not always the adminstrators who impede the
application of security patches to systems.  In distributed
environments, interested parties of various levels of authority must
be contacted, cajoled and convinced that patch application is
necessary.  I have seen it happen far too often.  Those who do not
receive the BugTraq or CERT email, who don't visit security websites,
who say "Isn't that why we have a firewall?" -- they never believe it
will happen to them so they refuse to allow downtime.

True is true.

-----Original Message-----
From: InfoSec News [mailto:isn () c4i org]
Sent: Wednesday, November 20, 2002 12:01 AM
To: isn () attrition org
Subject: [ISN] Security holes aren't being filled


http://zdnet.com.com/2100-1105-966398.html

By Robert Lemos 
Special to ZDNet News
November 19, 2002, 

System administrators are still not patching systems frequently
enough, according to a recently published study of a software security
flaw that allowed the Linux Slapper worm to spread.

In fact, even after the Slapper worm highlighted the existence of a
vulnerability in the Web security software known as OpenSSL, three out
of 10 systems that had the flaw continue to be vulnerable even today,
said Eric Rescorla, an independent security consultant.

"Administrators aren't as responsive as they should be," he said.  
"Even after a relatively serious hole is found, administrators don't
do the right things."

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.