Full Disclosure mailing list archives
Re: Getting Off the Patch
From: Christian Sciberras <uuf6429 () gmail com>
Date: Wed, 19 Jan 2011 12:44:56 +0100
I think at this point we need to put a line between those who |don't care about patches|, those that |install patches after careful testing|, and those that |install whatever patch| comes their way. Cheers. On Wed, Jan 19, 2011 at 12:25 PM, Jeffrey Walton <noloader () gmail com> wrote:
Sorry about the top post - just one comment....Bottom line is that patching interferes operations and therefore,Its a sad state of affairs when folks put other endeavors, such as uptime, above security. I can't speak for others but I hope my data is not housed at such a shop. If my data went out the e-door of such a shop, and the shop was not patching, then I would consider the shop's practices grossly negligent. It would be irrelevant to me who claimed it was OK for whatever reason. Jeff On Wed, Jan 19, 2011 at 6:08 AM, Cor Rosielle <cor () outpost24 com> wrote:I don't agree with the statement: "From a security standpoint, patchingisbetter than not patching. Period.". Sometimes patching is the right solution, often it is not. Since someaskedexperiences from larger companies, here is one: In 2001 I was responsible for maintaining all kinds of systems andservicesat a telephony and internet provider. One morning a list with our company name in it was mentioned in the radio news bulletins. We also found ournamein this list in articles in newspapers. A "hacker" found we didn'tinstall apatch on one of our web servers which ran IIS 5.0 on Windows 2000. Thepatchwas available for about 3 months and the hacker claimed he could attackourserver because of this specific patch missing. Because of his "ethical standards" he did not try to really attack the server but just publishaboutthe shameful patching policies in large companies. Three years later, when a new website was developed, the server was replaced. The patch was still not installed. Even though we were in the radio news bulletins and news papers and the world knew about ourvulnerableserver, no successful attack occurred in all that time. O yes, they tried. I've seen it in our log files. But because otherdefensemechanisms, the known exploit did not work on our server. And since thewebserver was in no danger without this patch, we decided installing thepatchwould be a higher risk than leaving the server as is. I did not know about the OSSTMM in those days. If I did, I could have explained why patching is not always the best solution: it interfereswithyour operations. And if it influences you operations, you better controlit.Not blindly execute it and install the patch using an automated update process, but actually control it. So the first thing to do is to decide if applying a patch is useful atall.And often it is not! E.g. why would you even consider to install MS10-085ona http-only web server (MS10-085 apparently fixes an error in TLS handshake)? (Don't flame me on this one, it's just meant as an example).Andif you concluded a patch is useful, then you decide if you do need to install it, or if it is not really necessary to install it. And if you install it, then decide if you do it manually, in a controlled manner, or use an automated update process, in an uncontrolled manner. The OSSTMMhelpsyou to realize that an automated update process increases the attack surface, which better be controlled. Another option of course is to blindly install it, because you trust your vendor (you know, the one that provided buggy software in the firstplace).Then your not controlling, but trusting. Read chapter 5 in the OSSTMM to find out if that is wise for this particular vendor, or not. Bottom line is that patching interferes operations and therefore, from a security standpoint, it either has to be controlled or trusted. It is not always true that patching is better than not patching. So I wouldslightlylike to rephrase that statement: "From a security standpoint, thinking is better than not thinking. Period.". (Now would it surprise you if I told you that critical thinkingisone of the starting points of the OSSTMM??. Cor Rosielle Chief Technology Officer-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full- disclosure-bounces () lists grok org uk] On Behalf Of Thor (Hammer of God) Sent: dinsdag 18 januari 2011 19:39 To: Valdis.Kletnieks () vt edu; Cal Leeming [Simplicity Media Ltd] Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Getting Off the PatchOn Mon, 17 Jan 2011 22:29:13 GMT, "Cal Leeming [Simplicity Media Ltd]"said:Most people wouldn't rely solely on patch day to protect their systems/networkYou're in for a surprise.One, as Cal pointed out, you cut out the context of what he said/meant. And two, so what if they do? At least they are patching. If security is the goal, then advocate for security in depth. From a security standpoint, patching is better than not patching. Period. If you have controls in place to mitigate exposure, then they should be combined with patching. Are you taking the position that the level of "being surprised" at the number of people who only patch dictates that they stop patching and try to successfully implement other controls so they don't have to patch? Playing "whack a mole" was entertaining, but in all seriousness, your responses to this thread have been confusing to me. Any security model that not only advocates non-patching, but that is designed with the intent of not patching is completely retarded. I defy anyone to provide verifiable evidence to the contrary that is not based on a server and a couple of workstations. Even the self-proclaimed "marketing" guy who admitted he didn't know how to patch couldn't come up with a single shred of substantiating research to support anything different. Comparing his "research" to Einstein and general relativity is a level of ass-hattery that rivals some of the worst on the list. So when I see you apparently supporting the idea, as someone who normally provides some sort of empirical backing to his statements, I become interested in what factors lead you to that conclusion. t_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Getting Off the Patch, (continued)
- Re: Getting Off the Patch phocean (Jan 18)
- Re: Getting Off the Patch coderman (Jan 18)
- Re: Getting Off the Patch Christian Sciberras (Jan 18)
- Re: Getting Off the Patch Cal Leeming [Simplicity Media Ltd] (Jan 19)
- Re: Getting Off the Patch Christian Sciberras (Jan 19)
- Re: Getting Off the Patch Cal Leeming [Simplicity Media Ltd] (Jan 19)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 18)
- Re: Getting Off the Patch Thor (Hammer of God) (Jan 18)
- Re: Getting Off the Patch Cor Rosielle (Jan 19)
- Re: Getting Off the Patch Jeffrey Walton (Jan 19)
- Re: Getting Off the Patch Christian Sciberras (Jan 19)
- Re: Getting Off the Patch Cor Rosielle (Jan 19)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 19)
- Re: Getting Off the Patch cpolish (Jan 19)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 19)
- Re: Getting Off the Patch Thor (Hammer of God) (Jan 19)
- Re: Getting Off the Patch Thor (Hammer of God) (Jan 19)
- Re: Getting Off the Patch Cor Rosielle (Jan 19)
- Re: Getting Off the Patch Pete Smith (Jan 19)
- Re: Getting Off the Patch Cal Leeming [Simplicity Media Ltd] (Jan 19)
- Re: Getting Off the Patch Cal Leeming [Simplicity Media Ltd] (Jan 19)