Full Disclosure mailing list archives
Re: Disney Down?
From: Micheal Espinola Jr <michealespinola () gmail com>
Date: Wed, 17 Aug 2005 12:28:54 -0400
Thanks for correcting my spelling error. You mention that this issue "will have little or no presence on consumer systems", but you do realize that you are writing for the "Enterprise News & Reviews" magazine, eWeek - right? You also realize that MS05-039 effects the current "consumer" version of Microsoft Windows (aka Windows XP) - right? You also say, "If it had been International Paper or some company like that rather than media outlets I suspect it wouldn't be getting all this attention". While this is likely true, this exemplifies the need to take security matters more seriously. MS05-039 was issued on August 9, 2005, and major companies were still exploited 6 days later. Your own story emphasizes the lack of consideration that is still being given to security vulnerabilities, even though Microsoft is continuously scrutinized at a product level for what is increasingly related to poor administrative and security practices. Applying this particular patch takes mere moments to download (a 500-600k file depending on your OS), moments to install, and a recommended reboot (although only 3% of the systems I personally patched technically required it). The entire procedure for patching a single system would require less than 5 minutes to perform (omitting the time of the reboot). Distribution of this patch on scale is also relatively trivial for someone whose position it is to do it. Trivializing this (or any) security patch is quite a gamble. As Security Center Editor for eWeek, it surprises me that you would take such a position. Any vulnerability that would allow for remote code execution and elevation of privilege should be treated as a top priority, from both internal and external attack vectors. An issue such as this should not be treated as a likelihood; it should be treated as a possibility. When you think in this manner, your priorities change. I'm not trying to badger you, but in light of the Disney, CNN, ABC, and The New York Times mishaps (amongst others), I must admit that I'm glad I don't follow your column or style of advise. On 8/17/05, Larry Seltzer <larry () larryseltzer com> wrote:
"So patch your systems, but don't miss your kid's play in order to do it.We've seen a lot worse than this in the past."Brilliant advise[sic]!Yeah, clearly I timed the column badly, but I still think there's more smoke than fire on this outbreak. If it had been International Paper or some company like that rather than media outlets I suspect it wouldn't be getting all this attention. I also think it's fair to say that when it dies down, relatively soon, it won't achieve the endemic status of Blaster and Sasser because it will have little or no presence on consumer systems. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Disney Down? David Wilde (Aug 16)
- Re: Disney Down? Dave @ Allnix, LLC (Aug 16)
- Re: Disney Down? pingywon (Aug 16)
- Re: Disney Down? fd (Aug 17)
- Re: Disney Down? Frank Stein (Aug 16)
- Re: Disney Down? Morning Wood (Aug 16)
- Re: Disney Down? Peter Besenbruch (Aug 17)
- Re: Disney Down? Micheal Espinola Jr (Aug 17)
- RE: Disney Down? Larry Seltzer (Aug 17)
- RE: Disney Down? Larry Seltzer (Aug 17)
- Re: Disney Down? Micheal Espinola Jr (Aug 17)
- RE: Disney Down? Larry Seltzer (Aug 17)
- <Possible follow-ups>
- Re: Disney Down? Fergie (Paul Ferguson) (Aug 16)
- RE: Disney Down? Andre Protas (Aug 16)
- RE: Disney Down? sk3tch (Aug 16)
- RE: Disney Down? Poof (Aug 16)
- Re: Disney Down? xyberpix (Aug 17)
- Re: Disney Down? Morning Wood (Aug 16)
- RE: Disney Down? Jan Nielsen (Aug 17)
- Re: Disney Down? John Smith (Aug 17)
- RE: Disney Down? Jan Nielsen (Aug 17)
- RE: Disney Down? Poof (Aug 16)