Bugtraq mailing list archives

Re: Update on wide-spread NewTear Denial of Service attacks

From: newsham () LAVA NET (Tim Newsham)
Date: Wed, 4 Mar 1998 12:35:27 -1000

If every single patch/fix/hotfix for NT was fully regression tested
before being released, such fixes would not see the light of day, let
alone a customer's machine, for months.


I've gotten several replies like this already (and I just posted
the original post a few hours ago).  Yes, I know companies like to
disclaim things to "protect" themselves.  I know they want a quick
lead time.  I know all of this.  So what?  If microsoft puts out
a fix and RECOMMENDS that people dont apply it, guess what, people won't
apply it.  Microsoft  either needs to recommend that everyone applies
their security fixes, or they need to  EXPECT that people wont apply
them.  It's that simple.  They want to require that everyone has
the fixes without taking responsibility for problems that might
arise from installing the fixes.  This is unacceptable.

Microsoft releases regular patch kits, which are fully regression
tested, called Service Packs, which incorporate all the hot fixes
released since the last one. I would much rather have Microsoft say they
don't know if the fix will work in all environments, but make it
available to me to try, than to have them wait for the full testing you
call for.


I would beg to differ.  The problem with service packs is exactly that
they have not been released regularly.  I have no objection to
the strategy of releasing hot fixes quickly then following up
with more proper service packs.  I do have problems with microsoft
failing to take responsibility for patches that are obviously
"required" patches for anyone who has bought NT on the promise that it
is secure.

For years people complained that Microsoft wasn't responsive enough to
security issues and now, when they make patches available in days, it
seems like you're asking them to go back to their old ways.


You seem to have entirely missed the point of my post.

Nobody does full regression testing on an OS patch that's available in
days, nobody. The warning is a simple reminder its not possible.


The way its worded, the warning is more than that.  The warning explicitely
states that you SHOULD NOT apply the patch unless you are  experiencing
problems.

Do you simply not see why I find fault with this?

Russ



                                    Tim N.

Current thread:

Update on wide-spread NewTear Denial of Service attacks Aleph One (Mar 04)
- Re: Update on wide-spread NewTear Denial of Service attacks Tim Newsham (Mar 04)
- <Possible follow-ups>
- Re: Update on wide-spread NewTear Denial of Service attacks Russ (Mar 04)
  - Re: Update on wide-spread NewTear Denial of Service attacks Tim Newsham (Mar 04)
- Re: Update on wide-spread NewTear Denial of Service attacks Russ (Mar 04)