Hello again!

Apparently, we are forgetting what initiated my first response. It was
someone stating that (basically) all security starts and ends with the
admin. I disagree with that statement. I think it starts with properly
coded OS (whether its Microsoft or not), and it should end with the admin.

-----Original Message-----
From: Arendt, Jordan ED0 [mailto:Jordan.Arendtsasked.gov.sk.ca]
Sent: Monday, April 15, 2002 5:34 PM
To: 'Schwartz, Stanley'; 'focus-mssecurityfocus.com'
Subject: RE: Users slam Microsoft Security Analyser

Stanley,

This is an invalid argument as it applies to all NOS's.
As to why MS should release the patches? Because some of us do subscribe to
the MS security list, and this list, and NTbugtraq, and we do apply the
patches.

Microsoft has the same responsibility that all other software vendors have.
When someone reports a bug, they investigate it, create a patch, (test it :)
), and notify the public at large.

Yes, MS coded the bug into their OS/APP. And, yes it's possible a hacker
could be exploiting it before a patch is released. This is so for all
Apps/OS's. So, don't use any of them.

Jordan

-----Original Message-----
From: Schwartz, Stanley [mailto:sschwartzstlo.smhs.com]
Sent: Monday, April 15, 2002 3:11 PM
To: 'Marc Fossi'; 'focus-mssecurityfocus.com'
Subject: RE: Users slam Microsoft Security Analyser

Again, before you reported it on Dec 7th, our systems were still vulnerable,
we just didn't know it yet.

I agree that a good admin will use all his/her resources to defend their
systems. However, if it's up to admin's to fix or workaround all the
vulnerabilities in Windows, why should Microsoft bother releasing hotfixes?
Does Microsoft have any responsibility here?

The point is that Microsoft coded Windows with this vulnerability (and
others, some of which we don't know of yet) in it, and saying that good
admin(s) can defend against attacks isn't necessarily always true.

Stan :)

-----Original Message-----
From: Marc Fossi [mailto:mfossisecurityfocus.com]
Sent: Monday, April 15, 2002 3:50 PM
To: Schwartz, Stanley
Cc: Focus-MS
Subject: RE: Users slam Microsoft Security Analyser

On Mon, 15 Apr 2002, Schwartz, Stanley wrote:

<snip>
> Example (read as content): Did you know your Active Directory domain
> was susceptible to that Group Policy vulnerability before the alert
> came out (which was listed on one of the pages I referenced)?
> Ignorance IS bliss....ain't it?
<snip>

http://online.securityfocus.com/bid/4438

This was a known issue for a while before MS patched it. It was reported by
3APA3A to Bugtraq on Dec. 7, 2001
(http://online.securityfocus.com/archive/1/244329).

The key here is not just to wait for MS to tell you that something is
broken, but to monitor lists like Bugtraq for new vulnerability
announcements. There are some vulnerabilities that were announced on
Bugtraq months ago that MS still has not addressed. The good thing is that
usually a lot of people from the community will make suggestions for
workarounds for these issues until MS gets around to patching it.

As a responsible admin, the onus is on you to make use of all the available
resources.

Cheers,

Marc Fossi, MCSE
SecurityFocus
www.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]