| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: John.Airey at rnib.org.uk (John.Airey@...b.org.uk) Subject: Re: Microsoft Security, baby steps ? > -----Original Message----- > From: Troy [mailto:th@...o.com] > Sent: Monday, 15 March 2004 16:35 > To: full-disclosure@...ts.netsys.com > Subject: Re: [Full-Disclosure] Re: Microsoft Security, baby steps ? > > > On Mon, 15 Mar 2004 09:13:54 -0500, "Edge, Ronald D" > <edge@...iana.edu> wrote: > > > >although this could be amusing... > > >http://www.microsoft.com/security/protect/cd/order.asp > > > > I particularly like the second link, which states on > ordering a security > > CD: > > > > "Please allow 2-4 weeks for delivery." > > > > By which time of course there will be either: > > a) a patch to correct the mistakes in the patch on the CD > > which is in mail > > or > > b) a whole new round of patches > > or > > c) it will be too late to apply them because the users machine > > is already trojaned to hell and back. > > Actually, that CD only includes the updates as of October 2003. It is > not meant as a replacement for security updates, but just to make it > easier to do a clean install of Windows. I suppose part of it is to > lessen the load on Microsoft's Windows Updates servers, but > it does make > re-installing Windows much easier and faster for the average user who > does not know how to slipstream the updates into the Windows > install CD. > Slipstreaming Windows 2000 SP4 is relatively easy, however you'll find that you can't run certain Microsoft Java applications (eg Outlook Web Access Calendar), nor can you install msjvm.exe either if you do. Slipstreaming an earlier version and then upgrading to SP4 and Microsoft Java works. The Sun version of Java doesn't work in this instance either (I've tried). For 2000 and XP systems you can download the updates from Windows Update and put them on your own CD together with any service packs. Given how quickly machines can be infected that's more useful than a CD from Microsoft. Those of you still supporting NT4 servers are stuck with Windows Update now as several updates can only be retrieved with the use of a NIC. What is it with Microsoft and security? Come on Microsoft. How about putting together a single file that contains all the "critical" security updates since the last service pack for a given OS? Then us beleaguered admins can stick it on a CD together with the relevant service packs and we'd no longer need to use the NIC until a machine is fully patched. Who knows, perhaps then we'd get sensible results out of MBSA? I use kickstart and the genhdlist package with Red Hat to ensure that any installed system has all the updates installed on the first boot after installation. Why then does Windows have to lag so far behind? - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@...b.org.uk Shameless movie plug - go see the Passion of the Christ! - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk
Powered by blists - more mailing lists