RE: Operating Systems Security, "Microsoft Security, baby steps"

[Todd Burroughs <todd () hostopia com>]

On Thu, 18 Mar 2004, Schmehl, Paul L wrote:

> > Updating any OS is a pain in the ass, but all of them have
> > flaws and need to be updated.  I find that at least with the
> > UNIX-like ones, you can go on the Net and do your updates
> > faster than you get rooted.
>
> This is foolish thinking.  Do you really think that, when a patch comes
> out, *then* the hackers start working on exploits?  The exploits were
> being used *long* before the patch comes out.  The only thing a patch
> gets you is protection against *future* hack attempts against *that*
> weakness.

Wasn't that something that MS tried to say, the "hackers" are reverse
engineering our patches?  That was funny, but the sad thing is that a
lot of people will believe it.

What I meant is that you can most likely actually use the Internet to get
patches with a fresh install before you get taken over, not that somehow
UNIX-like systems make patches before the exploits are out there and being
used ;-)  It's quite apparent by other threads on the list that this is
not generally the case with Windows.  Just being patched doesn't mean
that you are safe, but it's better than running well known security holes.

Obviously, if you go on the Net with all services running, especially
on an unpatched box, you're gonna get rooted pretty quickly.

Todd Burroughs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html