[Dshield] Microsoft patches

Bruyere, Michel mbruyere at ezemcanada.com
Mon Oct 20 17:07:31 GMT 2003


Hi, 
	In response to this statement: 

> It is interesting to note that even with all the publicity
> and
> encouragement to keep the patches up to date, there are still a
> considerable
> number of systems still (Both Windows and Linux) on the internet that have
> not
> done so, and as a result are compromised, and continue to attempt to
> compromise
> others.  

I first understand (but don't endorse) why many companies (even big 1!)
often don't install patches... I been to a place where the IT manager was
clueless about security and though that: "We are behind a firewall and we
have AV. More, we are in a "closed" environment. The other answer a saw
often was, we are a small company, hacker won't bother trying on us.... or
what are the probabilities that such hack occur to us?

Often the problem don't come from the technology, it's coming from the
people who don't understand consequences of not "securing" the network. Al
tools are there to keep systems up2date; it's just to convince/teach
everyone to install patches ASAP. 


I'm looking to find some doc with factual things that I could use to
"teach/light-up" someone about the real dangers of vulnerabilities. Just
because there is many peoples (around me) that still think that "firewalls"
are the safest (by safest, I mean everything proof! Nothing can reach us, we
are behind a firewall) and only way to protect themselves (with AVs). 
I'll appreciate if someone has such paper and is willing to share it ;) 


>I do not consider failure to maintain systems as something that
> should
> be blamed on the publisher.
> 

This is true, but if the code is reviewed at the conception level, there
would be fewer patches to install. 

> My mail servers still intercept Klez, SoBig, and other virus infected
> email,
> although solutions for these compromises have been available for free for
> many
> months now.

I too, as I still sees many 135/137 attempts... 

> 
> My rant would be to stop bashing the Operating System publishers (either
> windows
> or Linux) and trying to avoid responsibility for your own networks.  Most
> patches are downloadable as a file, which then can be copied to disk and
> then
> local updates performed without downloading them again and again.  On
> larger
> networks, technology is readily available to download once and push the
> patches
> to other machines on the network.  The failure to keep online systems up
to
> date, is the fault of the system or network administrator, and not that of
> the
> publisher.   End rant..
> 

Yup that is true, but again like I said, at some places network admin have
hands tied up. Another problem to install patches (in my opinion) is the
fact that you need to reboot the entire server, which increase dramatically
the downtimes.
 
But in generals I agree with you as to the fact that keeping a network
secure takes time and "sometimes" money. I just wish that more peoples
understand that fact.


My 0.02


M.Bruyere




More information about the list mailing list