lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Aug 17 17:56:47 2005
From: larry at larryseltzer.com (Larry Seltzer)
Subject: Disney Down?

>>you do realize that you are writing for the "Enterprise News & Reviews"
magazine, eWeek - right?  

Yeah. Online we get a little leeway on such things, and anyway it's beside
the point of that statement, which was that none of the current attacks will
directly infect Windows XP systems, including consumer systems, and
therefore will not linger there. To illustrate the point, it's a long time
now since the RPC/DCOM bug was patched and still there are lots of infected
systems out there spitting Blaster at the world; how many do you think are
in Fortune 500 companies as opposed to consumer systems?

>>You also realize that MS05-039 effects the current "consumer" version of
Microsoft Windows (aka Windows XP) - right?

The vulnerability does, but not any (to my knowledge, as of 12:something on
Wednesday) of the exploits. It affects Windows XP differently than it does
Windows 2000; with Windows XP SP1 it requires an authenticated user, with
SP2 it requires an authenticated user with "log on locally" rights. This
means that the worm will have to add something like a dictionary attack to
look for weak user/password combinations.

I don't disagree with what you say about security practices and the need to
patch quickly. This attack came on very quickly and I think it reveals more
about bad general security practices than slow patching practices. 

>>Any vulnerability that would allow for remote code execution and elevation
of privilege should be treated as a top priority, from both internal and
external attack vectors. 

It's clear that large companies won't patch immediately without some
testing, and I can respect that. The answer isn't that they should shut up
and patch, it's that they should have effective layered security practices
in place that would mitigate attacks such as this even without the patches.
I shouldn't be surprised that there is so much bad security out in Fortune
500-land, but the answer to it is not to patch next-day.

And I still think that the overall scale of this attack was exaggerated
because it was media that was hit, and that the worm doesn't have long-term
legs.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer@...fdavis.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ