Full Disclosure mailing list archives
Re: Gates: 'You don't need perfect code' for good security
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Sun, 2 Nov 2003 10:43:21 -0600
"William Warren" <hescominsoon () adelphia net> wrote:
Beaty, Bryan wrote:Correct me if I am wrong but... I believe every worm listed below could have been prevented had everyone patched their systems.the blaster worm preceded the patch so this argument is DOA
Actually, you're dead wrong on that point. MS03-026 was released about a month and a half before Blaster began spreading. Although it left other vulnerabilities that were (at the time) unknown, the flaw exploited by Blaster was patched.
I would like the security community to take more responsibility for their own (in)actions. If you were hit by Blaster then you failed to enforce a good patch management policy. Who's fault is that? Patch management is boring and so we often ignore it. Hackers and worms simply take advantage of our laziness. I guess blaster could be a form of social engineering. "I know admins don't patch so I can write a worm and kill the world."note above
The above has been noted, though only for its inaccuracies. He makes a very good point. No code is bug-free, this is a fact. So, the only way anyone in the security community can *hope* to stay up to date is with good patching / FW policy. Any good network admin should be using firewalling to block port 135 both directions, inside the LAN and out. If users have a problem with that, tough. Also, you should regularly install patches to protect systems inside the firewall.
There is no such thing as perfect code. If you want a completely secure system you can buy them but they are unbelievably expensive. If you have a business justification for something that secure then buy it. Otherwise you have to live with what you can get from Linux, UNIX, or even Microsoft. Microsoft has at least come out with some very good patch management systems lately (SUS) and they are free. Red Hat charges me a yearly fee for their RHN.you do not have to pay for RHN to get redhat patches. I rh9 for a bit on this notebook(had vid issues with all distros here) and was able to get all updates without subbing to RHN.
Right, but of course you'd rather stick to Windows Update and HFNetChk when you could have a tool like SUS which is far better for no fee. Like it or not, Microsoft has the best security response process of any vendor, in terms of getting patches out once they are available.
MS has no choice but to come out with free patching tools because of the huge amount of patches for all MS products.
Even though MS, by the time you factor in the large number of components they ship, has had many times fewer patch releases than competing Linux distributions? 1. OpenSSH v. Remote Desktop / Terminal Services OpenSSH: Two vulnerabilities in recent weeks RD/Terminal Services: Zero vulnerabilities this year 2. Sendmail v. Exchange As buggy as many people claim Exchange is, it has had two patches this year -- if you include OWA. Even though it provides substantially larger amounts of functionality for some uses, it has still had fewer vulnerabilities than its main competitor, Sendmail. 3. Apache v. IIS Apache 2.0 especially, has never established itself as a server worthy of production use, due to the fact that it is riddled with security vulnerabilities. Apache 1.3 has also had some vulnerabilities -- the recent sub-request issue, Chunked encoding, etc. IIS has steadily improved in security, particularly with IIS 6.0. For a relatively new product, IIS has always been an innovator in security. Especially on Windows platforms, IIS offers many times better security and performance. That said, I do realize that Apache 1.3 was not initially written for Win32. However, its Unix releases also lack much of the account seperation found in IIS 6. It is currently not possible to serve requests from different sites as different users in 1.3.
I run Astaro Security Linux here at the house..blaster and its ilk got killed at my then cable modem and never made it in. I have netbios blocked incoming and outgoing and all e-mail is scanned at the firewall with all executable attachments being blocked.
That would be the policy that all networks should use -- firewalling. Funny that the same practices, even on an unpatched Windows XP system, would have been sufficient at blocking the worm. As long as port 135 the related NetBIOS services (137, 139, 445, 593, etc.) were blocked, this worm would not make it in. And, truthfully, one should automatically block ports not in use by a system behind the firewall.
However it is funny MS wants to make automated patch downloading mandatory
when on
every machine here the automatic windows update did not catch wind of new patches available on WU for sometimes after 7 days of the release on WU. MS has a long way to go on their patching..both in terms of quality of software and patches and delivery.
I am ignoring your "quality of software" argument, because it is simply moot. There is little difference in quality of software, and your previous point outlines Gates' original statement quite well -- you don't need perfect code. And, your complaint about WU has been noted by Microsoft. WU is an on-access utility -- you only learn about patches when you check it. This is perfectly sufficient for the millions of occasional users of home PC's out there. But, when a problem begins is when you need to patch an entire network asap. Microsoft has created tools like SUS for this purpose. For free, we might add.
I believe the #1 security threat today is poor patch management. Is that Microsoft's fault?the number one security threat today is exploits that target a weak security model to a degree that exploits can be so easily 0-day released without anyone knowing. Also even with all patches right now IE(and therefore windows) is still subject to remote download and installation of programs without user notification(this is widely known just google for it).
Oh my god, IE's caching model is buggy (and I do mean buggy). Yes, after the recently released security bugs in the "caching" functionality of IE, said functionality has obviously been implemented without concern for security. Unfortunately, IE's many additional features do make it prone to areas of poor code impacting a large amount of functionality. In my opinion, one should be able to disable MS' proprietary extensions to the JavaScript standard in IE, to reduce the attack surface of the browser back to normal levels. That is one place where MS has really done a poor job of product quality assurance. A more general problem is that MS has never allowed security to drive a software decision (unless it was specificially a security tool, such as URLScan). This is why you see worthless, buggy, features like DOM caching in Internet Explorer. However, even an IE vulnerability is not the end of the world. Disable Active Desktop, and Web Folder View, and the shell's exploit vector is closed. This limits the exploitation of these vulnerabilities to those users who continue to browse malicious sites, or *STILL* haven't secured Outlook (Express) to process messages in Restricted Sites. An even better option is the "Read messages as plain text" option in OE 6.0 SP1 and Outlook XP. Fact is, you don't get exploited if you have responsible browsing and e-mail reading practices. I ran IE 5.5 Gold without one patch installed for a year and a half, and never was exploited. Looking back at it, it probably wasn't the smartest thing I've ever done, but knowing that there were bugs required me to be a smarter browser. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Gates: 'You don't need perfect code' for good security |reduced|minus|none| (Oct 31)
- <Possible follow-ups>
- RE: Gates: 'You don't need perfect code' for good security Beaty, Bryan (Oct 31)
- RE: Gates: 'You don't need perfect code' for good security james (Oct 31)
- RE: [spam] RE: Gates: 'You don't need perfect code' for good security Exibar (Nov 01)
- udp port 2615 Trond Kringstad (Nov 01)
- RE: Gates: 'You don't need perfect code' for good security Cedric Blancher (Nov 01)
- Re: Gates: 'You don't need perfect code' for good security William Warren (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Matthew Murphy (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Matthew Murphy (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Dave Howe (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 04)