Full Disclosure mailing list archives
Re: [inbox] Re: 3 new MS patches next week... but none fix
From: Tim <tim-security () sentinelchicken org>
Date: Sat, 10 Jan 2004 09:35:09 -0800
It's not that Microsoft doesn't have a clue, they do. We are getting regular patches for holes that are found are we not? If they didn't have a clue, we would have yearly patches or none at all. Ok, there may be some holes that aren't patched yet, but I'm sure they're working on them and they're coming. Some patches just have to take precedence over others.
No. Microsoft blatantly ignores many vulnerabilities. Come this next round of patches, they will have ignored the %00/%01 IE hole for well over a month. No notice to customers, no workarounds, nothing. How long did the IE Certificate vulnerability sit on Thor's site before it was finally patched in all versions of windows? 2 years? 3?
I've seen quite a few vulnerabilities come across this list in this past week, not many have vendor fixes yet either. This is not a Microsoft exclusive problem. We need a better way to patch systems, ALL systems.
Of course. A lot of vendors suck. But some have it (almost) figured out.
I've said it once on another list, and I'll say it here, we need a sort of "patching server" that is on an isolated subnet. When a machine first connects to the network, it gets an IP address and is only allowed to talk to the patching server(s). Once the patching servers (for ALL OS's mind you) determine that the machine is up to date with it's patches, then and only then is it allowed to connect to the production network.
Ok, that's fine and all, until you run across the next M$ patch that rolls "feature" changes into the bugfix patch, and they happen to break your custom application. Or until you try to roll a patch out that accidentally rolls BACK some of your other DLLs to an old, vulnerable version. *cough slammer cough* So, here are two rules a patching system should follow: 1. All patches regression tested against all previous vulnerabilities. 2. Never roll any functionality changes along with security fixes. I am sure there are others to follow, but I can't think of them right now.
Let me ask this question, if you were running a company with 30,000 LINUX boxes. How would you patch all of them? Don't a lot of Linux patches require a re-build of the kernel?
NO. The vast majority of vulnerability patches do not require any rebuild of the kernel, which means you don't even have to reboot. How I run a secure server? Debian stable. To patch: # apt-get update # apt-get upgrade DONE. Many other Linux distributions have similar sets of commands that are just as easy, and you don't have to buy 3rd party software to make it work. Oh, and if you want to patch ALL of your 30000 systems, just install your public SSH key on each of the when you build them, and: for S in `cat servers.txt`; do { ssh root@$S "apt-get update; apt-get upgrade"; } done; or something to that effect. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: 3 new MS patches next week... but none fix Randal, Phil (Jan 09)
- Re: 3 new MS patches next week... but none fix Exibar (Jan 09)
- Re: 3 new MS patches next week... but none fix Tim (Jan 09)
- Re: 3 new MS patches next week... but none fix madsaxon (Jan 09)
- RE: 3 new MS patches next week... but none fix Joe (Jan 10)
- Re: 3 new MS patches next week... but none fix Tim (Jan 10)
- RE: [inbox] Re: 3 new MS patches next week... but none fix Exibar (Jan 10)
- Re: [inbox] Re: 3 new MS patches next week... but none fix Tim (Jan 10)
- Re: [inbox] Re: 3 new MS patches next week... but none fix Jan Lühr (Jan 10)
- The Israeli Post Office break-in ge (Jan 11)
- Re: [inbox] Re: 3 new MS patches next week... but none fix lonely wolf (Jan 10)
- Re: [inbox] Re: 3 new MS patches next week... but none fix Ron DuFresne (Jan 12)
- Re: [inbox] Re: 3 new MS patches next week... but none fix William Warren (Jan 11)