Full Disclosure mailing list archives
Re: Bill Gates blames the victim
From: Florian Weimer <fw () deneb enyo de>
Date: Sun, 31 Aug 2003 21:12:57 +0200
"Richard M. Smith" <rms () computerbytesman com> quotes Mr. Gates:
And ducking questions by blaming the victim: Q. "The buffer overrun flaw that made the Blaster worm possible was specifically targeted in your code reviews last year. Do you understand why the flaw that led to Blaster escaped your detection?" A. "Understand there have actually been fixes for all of these things before the attack took place. The challenge is that we've got to get the fixes to be automatically applied without our customers having to make a special effort."
The "all of these things" part is not correct, according to several press reports. | Pentagon sources last week confirmed that officials are | investigating an apparent intrusion into at least one military | server through a previously unknown vulnerability in Microsoft | Corp.'s Windows 2000 operating system. <http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79626,00.html> | Update: In an unusual case, attackers have begun exploiting a new | Microsoft bug before the flaw was widely known. Microsoft is urging | sites to patch their servers as quickly as possible | | Microsoft warned customers on Monday that a security hole in Windows | 2000 and the company's Web server software is allowing online | attackers to take control of corporate servers. | | Because the vulnerability is being actively exploited by Internet | vandals, Microsoft advised customers to apply a patch or use a | workaround to defend against the attack as soon as possible. One of | the servers attacked belonged to the US Army, according to reports. <http://news.zdnet.co.uk/business/0,39020645,2132071,00.htm> | A hacker last week exploited a previously unknown vulnerability in | Microsoft Corp.'s Windows 2000 operating system to gain control of a | military Web server, and the extent of the damage done is still | unknown. <http://www.fcw.com/fcw/articles/2003/0317/web-hack-03-18-03.asp> There's still an unpatched RPC vulnerability (however, only DoS has been publicly demonstrated so far): <http://cert.uni-stuttgart.de/archive/bugtraq/2003/07/msg00254.html> Of course, it's convenient to ignore such problems and declare that regularly applied patches pave the way to secure software. But patching is a countermeasure that is merely in vogue right now. It's just a question of time when this approach will break in a very obvious manner (that cannot be blamed on sloppy system administration easily), and we have to try something different. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Bill Gates blames the victim Richard M. Smith (Aug 31)
- Re: Bill Gates blames the victim B.K. DeLong (Aug 31)
- Re: Bill Gates blames the victim pandora (Aug 31)
- Re: Bill Gates blames the victim Paul Schmehl (Aug 31)
- Re: Bill Gates blames the victim Florian Weimer (Aug 31)
- Re: Bill Gates blames the victim Peter Busser (Aug 31)