[Dshield] What's wrong with this picture?

Micheal Patterson micheal at cancercare.net
Fri Jan 31 04:46:44 GMT 2003

----- Original Message -----
From: "Gasper, Rick" <rjgasper at kings.edu>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Thursday, January 30, 2003 8:47 PM
Subject: RE: [Dshield] What's wrong with this picture?

> I see something from the other side:
> MS gets blasted every time someone finds a way a hole in their software
> (sometimes they deserve it and sometimes not). IF they took a more
> proactive approach and scanned machines, then they could alert the admin
> to patch. Imagine a popup box or an email or event log that shows that
> patches are needed.

Possibly so. I personally don't trust MS is honestly looking out for the
customers best interest at hardly any time.. IMO, past history shows that
they are blatantly negligent in responding to issues of network and security
natures in a timely manner. Win9x had a major issues with it's tcp stack and
fragmented packets. It took them, as I recall, 6 months to come up with the
patch for that. IIS, MS Exchange, etc have all had major flaws when they
left the beta and went into widespread sales. These OS's weren't new, nor
were the products. It has also been proven over time that MS will correct an
issue, only to insert additional new issues as a direct result of the patch.
Granted, nothing is perfect in this day and age however, again IMHO, it
would be in their best interest if they did additional testing on all
software that they released prior to it's release. As most of us on this
list are painfully aware, the recent MSQL issue was noticed 6 months ago and
patches were made available to correct it. However the instructions on both
patches that I saw were directly related to Server edition. For those in the
know, it's not a major issue. However there were just too many end users
that have installed 3rd party software that were simply unaware that they
even had MSDE on their system. Then, when the problem occured, they went to
get patches and could understand them. Then to top that all off, SP3 for
Server was released with all current patches available and the MSDE version
of SP3 wasn't released until AFTER this recent event. To me, that's
borderline negligence.

Again, that's just my opinion. That's why the majority of my main services
are running on OS versions other than a Windows platform. At least if
there's a major bug in sendmail, apache, qpopper, sshd, etc, there's usually
a short turn around on getting it patched and corrected.

> I would prefer to use local tools such as baseline security advisor.
> However, short staffed admin might like that kind of attention. It might
> be easier to get downtime to apply patches.

If nothing else, I would think it would be possible to incorporate this test
within the windows update subsystem.


Micheal Patterson
Network Administration
Cancer Care Network

More information about the list mailing list