Full Disclosure mailing list archives
Re: EEYE: Microsoft ASN.1
From: D B <geggam692000 () yahoo com>
Date: Wed, 11 Feb 2004 19:06:15 -0800 (PST)
Date: Wed, 11 Feb 2004 12:29:56 -0800 To: pdt () jackhammer org Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] EEYE: Microsoft ASN.1 Library Bit String Heap Corruption From: <bart2k () hushmail com>
I for one am very grateful for the fact that eEye releases technical information on the flaw. I think it helps us ALL to know the technical information so WE as security and IT professionals have a better idea of what the real risk is.
I'm sorry but Microsoft Knowledge Base KB828028 tells me nothing of any immediate value, plenty of web links to other advisories and documents which will take me weeks to follow and read through before I know what the heck they are patching and if it is truly a HIGH risk exposure for my environment. The eEye documents and other such providers of technical documents are much better advisories at least that is MHO.
I would like to add something from a person's perspective as one just learning about computer security. Everyone tells me the learning curve for Linux / BSD / Unix to be so high, I would debate that fiercely on the simple fact keeping up with the amount of exploits on windows to be more than I really care to learn. Granted more machines run windows with idiots as users which gives exploits a larger playing field but the forthright way an opensource system approaches exploits leaves little room for obfuscation. I'm not a coder but when someone says a ceratin code has an exploit I can look at it and learn why it happens on opensource, with windows im reduced to trusting other people ( I have a hard time doing that ) This list expands my knowledge by allowing me to see more knowledgeable people discuss exploits and provides me with some way to form my own opinions. Windows is here to stay as it does have alot more enduser features however to leave windows exposed to the internet is in my opinion a security exploit waiting to happen. My solution would be to have all servers on a Unix style platform protected by a competent firewall with an image server that reformats and installs the OS overnight ( if possible ) and prohibiting write permissions on that windows computer in any directory but a network file system, to be backed up nightly.... gotta love cron. ( is this a pipe dream ? ) Provided I ever get control of a network. __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: EEYE: Microsoft ASN.1 D B (Feb 11)