Full Disclosure mailing list archives

Re: AW: no more public exploits

From: Valdis.Kletnieks () vt edu
Date: Tue, 27 Apr 2004 16:34:11 -0400

On Tue, 27 Apr 2004 20:06:33 +0200, "Baum, Stefan" <stefan.baum () eds com>  said:

IMHO, no sysadmin taking his work seriously, will wait patching the systems
until an exploit is available throughout the internet.


You've obviously never been the sysadmin who has a corporate VP breathing down
your neck saying "Like *HELL* you're going to install the patch now - we *HAVE*
*TO* stay up in order to get payroll out on time.  You install that patch and
break payroll, you won't get this paycheck, or any other, ever".

And no, neither hot failovers (think about it for a bit) nor test machines help
the problem - for many environments, the 48 hours we're usually down to is
*not* enough to regression test, schedule downtime, and deploy a security patch
that may include other bugfixes/features as well.

Attachment: _bin
Description:

Current thread:

AW: no more public exploits Baum, Stefan (Apr 27)
- Re: no more public exploits Exibar (Apr 27)
- Re: AW: no more public exploits Byron Copeland (Apr 27)
- Re: AW: no more public exploits Valdis . Kletnieks (Apr 27)
- Re: AW: no more public exploits Cael Abal (Apr 27)
- <Possible follow-ups>
- Re: AW: no more public exploits tcleary2 (Apr 28)
  - Re: AW: no more public exploits Bernard J. Duffy (Apr 28)
- RE: AW: no more public exploits Soderland, Craig (Apr 28)
- RE: AW: no more public exploits Ng, Kenneth (US) (Apr 28)
  - RE: AW: no more public exploits Blake Wiedman (Apr 28)