Re: Bill Gates blames the victim

[Florian Weimer <fw () deneb enyo de>]

"Richard M. Smith" <rms () computerbytesman com> quotes Mr. Gates:

> And ducking questions by blaming the victim:
>
>    Q. "The buffer overrun flaw that made the Blaster worm 
>    possible was specifically targeted in your code reviews 
>    last year. Do you understand why the flaw that led to 
>    Blaster escaped your detection?"
>
>    A. "Understand there have actually been fixes for all of 
>    these things before the attack took place. The challenge 
>    is that we've got to get the fixes to be automatically 
>    applied without our customers having to make a special effort."

The "all of these things" part is not correct, according to several
press reports.

| Pentagon sources last week confirmed that officials are
| investigating an apparent intrusion into at least one military
| server through a previously unknown vulnerability in Microsoft
| Corp.'s Windows 2000 operating system.

<http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79626,00.html>

| Update: In an unusual case, attackers have begun exploiting a new
| Microsoft bug before the flaw was widely known. Microsoft is urging
| sites to patch their servers as quickly as possible
| 
| Microsoft warned customers on Monday that a security hole in Windows
| 2000 and the company's Web server software is allowing online
| attackers to take control of corporate servers.
| 
| Because the vulnerability is being actively exploited by Internet
| vandals, Microsoft advised customers to apply a patch or use a
| workaround to defend against the attack as soon as possible. One of
| the servers attacked belonged to the US Army, according to reports.

<http://news.zdnet.co.uk/business/0,39020645,2132071,00.htm>

| A hacker last week exploited a previously unknown vulnerability in
| Microsoft Corp.'s Windows 2000 operating system to gain control of a
| military Web server, and the extent of the damage done is still
| unknown.

<http://www.fcw.com/fcw/articles/2003/0317/web-hack-03-18-03.asp>

There's still an unpatched RPC vulnerability (however, only DoS has
been publicly demonstrated so far):

<http://cert.uni-stuttgart.de/archive/bugtraq/2003/07/msg00254.html>

Of course, it's convenient to ignore such problems and declare that
regularly applied patches pave the way to secure software.  But
patching is a countermeasure that is merely in vogue right now.  It's
just a question of time when this approach will break in a very
obvious manner (that cannot be blamed on sloppy system administration
easily), and we have to try something different.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html