| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <41B1FD84D49E05448A4233378E6BF475163C3C@entmsgnt03.fm.frd.fmlh.edu> From: jheidtke at fmlh.edu (Jerry Heidtke) Subject: RE: Probable new MS DCOM RPC worm for Windo ws No one is going to manually touch 2000+ machines (unless you're a consultant and you get paid by the hour). That's why there're tools to check whether the file properties are correct for a particular hot fix. For example, Microsoft Baseline Security Analyzer (free), GFI Languard Network Security Scanner (inexpensive), Shavlik HFNetcheckPro (expensive), and Microsoft SMS (with SU feature pack) (very expensive) will all do file version and/or checksum calculations to verify that a particular file is what should be there to consider a patch to be installed. Some of these will even automatically deploy the patches to machines that are missing them. Many other tools do the same thing. (let's not get into a flame war about the pros and cons of any particular tool). While we have other decent tools available to check whether a patch has been correctly applied to this particular vulnerability that don't depend on file versions, for most patches the only reliable way to confirm if a patch has been applied is to check the physical files. If you're not going to verify that a patch is correctly installed through _some_ method, you're being negligent. To answer your question, yes, if you're a responsible professional. Jerry -----Original Message----- From: Schmehl, Paul L [mailto:pauls@...allas.edu] Sent: Friday, September 26, 2003 9:33 AM To: full-disclosure@...ts.netsys.com Subject: RE: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windo ws > -----Original Message----- > From: Gary Flynn [mailto:flynngn@....edu] > Sent: Friday, September 26, 2003 8:06 AM > To: 'full-disclosure@...ts.netsys.com' > Subject: Re: [Full-Disclosure] RE: Probable new MS DCOM RPC > worm for Windo ws > > > I would think a better way of determining if a patch is > actually installed on a system is by examining the files on > the system rather than to depend upon symptoms (scanners) or > installation logs (registry entries). True, but *I'm* not going to physically touch (or even virtually touch) 2000+ machines looking at file properties. Are you? Paul Schmehl (pauls@...allas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Powered by blists - more mailing lists