Forwarded from: elizabeth.lee.contractorat_private I submit that it is not always the adminstrators who impede the application of security patches to systems. In distributed environments, interested parties of various levels of authority must be contacted, cajoled and convinced that patch application is necessary. I have seen it happen far too often. Those who do not receive the BugTraq or CERT email, who don't visit security websites, who say "Isn't that why we have a firewall?" -- they never believe it will happen to them so they refuse to allow downtime. True is true. -----Original Message----- From: InfoSec News [mailto:isnat_private] Sent: Wednesday, November 20, 2002 12:01 AM To: isnat_private Subject: [ISN] Security holes aren't being filled http://zdnet.com.com/2100-1105-966398.html By Robert Lemos Special to ZDNet News November 19, 2002, System administrators are still not patching systems frequently enough, according to a recently published study of a software security flaw that allowed the Linux Slapper worm to spread. In fact, even after the Slapper worm highlighted the existence of a vulnerability in the Web security software known as OpenSSL, three out of 10 systems that had the flaw continue to be vulnerable even today, said Eric Rescorla, an independent security consultant. "Administrators aren't as responsive as they should be," he said. "Even after a relatively serious hole is found, administrators don't do the right things." [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Nov 22 2002 - 02:05:06 PST