JNJ wrote: > I have to disagree. Microsoft released a patch for this issue on 6/18/2001. > Here we are, a tad over a month later, and the issue is being exploited en > masse. This calls to question the attention of systems administrators to > their networks. The days of selective application of security patches are > long since over. IMHO, systems affected by this recent outbreak are being > administered by techs that need to pay closer attention to their > installations and keeping them up to date. The issue of timely patch application is rather complex. Bill Arbaugh (bcc'd) had an excellent paper at the 2001 IEEE Symposium on Security and Privacy (Oakland http://www.ieee-security.org/TC/sp2001.html ) that showed how the vast majority of exploitations resulted from known vulnerabilities that had not been patched. The paper http://www.cs.umd.edu/~waa/vulnerability.html shows some interesting trend graphs that draw the balistic curves of rising and subsequent falling exploitation rates, and the eventst that trigger these rate changes. It is also not clear that all patches should be applied immediately. Some vulnerabilities are discovered when they are being actively exploited, forcing vendors to rush patches into production, and resulting in less than optimal QA on those patches. Thus sometimes a patch will come out that breaks stuff, teaching admins to let someone else go first. Which leads to Immunix's research agenda of building tools that protect vulnerable software against unknown vulnerabilities, so that patches don't need to be urgent <insert product pitch here :> Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 09:13:36 PDT