[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030801044331.77309.qmail@quickhosts.net>
From: denatured at microsoftsucks.org (denatured)
Subject: RE: Patching networks redux (fwd)
As an Information Security Officer I assume that you consider yourself an
"Expert". That assumption being based on the fact that with the title of
"Officer", and the responsibility that goes with it, I'd hope you think of
your self way. Curious though, after having it demonstrated to you that your
network is VERY insecure I would have thought that you would take the time
to fix it vice writing on this discussion board throughout the day. Is that
not having the time/resources or just plain neglegence? I mean mistakes
happen, but an outright ignoring of the problem, when it has been released
to a list of this size, should concern your employer just a little. If
you're going to let the whole world know that 'utd48637' is low on yellow,
you should put an admin password on it. But why does the world nees any
access to your printers...and the rest of it all.
Think about it.
D
CC: jnelsen@...allas.edu, lovitt@...allas.EDU, assist@...allas.edu,
cassini@...hange.utdallas.edu, bastani@...allas.edu, pauli@...allas.edu,
tmesser@...allas.edu, renehe@...allas.edu
----Original message from Paul Schmehl-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Schmehl, Paul L
Sent: Wednesday, July 30, 2003 6:09 PM
To: full-disclosure@...ts.netsys.com
For all those experts who have mastered patching your networks, please
ignore this post.
For the rest of you, testing has shown that some patch management tools are
incorrectly reporting that MS03-026 is installed when it's not (notably
Windows Update and Update Expert, among others.) The accuracy of the tool
depends on how they check for the patch level. If they check the registry
(like Windows Update and Update Expert do) they will *incorrectly* report
that MS03-026 has been installed when if fact the files have not been
updated. If they do MD5 checksums (like Hfnetchk or MBSA), they will
correctly report the patch level.
The Retina tool from eEye (and I would assume the IIS commandline tool as
well) is correctly reporting what *is* patched and what is *not* patched, so
you need to rely on those to give you accurate information. You could
actually have users going to Windows Update and finding no patches available
when in fact they are still vulnerable. You could also have users for whom
you've pushed out the patch who have overwritten the files with older
versions, yet your tools are reporting them as patched.
Of course the experts never have these problems, but for the mere mortals,
caveat emptor.
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
---------------------------------------------------------------------------
Get your free email at http://www.microsoftsucks.org
Powered by blists - more mailing lists