Re: [Full-Disclosure] Administrivia: Testing Emergency Virus Filter..

[Bryan Allen <bda@mirrorshades.net>]

On Wednesday, August 20, 2003, at 4:37 PM, Gary E. Miller wrote:

> Yo Paul!
>
> On Wed, 20 Aug 2003, Schmehl, Paul L wrote:
>
>> Have you asked them when the last time that they updated was?  A 
>> remote
>> hole in Mac OS X was announced just last week (the realpath problem).
>> I'll bet most of them don't even know about it.
>
> All OSes have problems getting users to update.  The old saying "If it
> ain't broke don't fix it" will be with us a long time.   At least if
> the user is using an OS with halfway decent priviledge separtion there
> will probably be more limited damage when unpatched bugs are exploited.

Also keeping in mind that Software Update is on by default, and forces 
a user to reboot if it's required (no closing the window a la Windows).

In theory, if a user isn't clueful enough to know about security 
updates, it's *relatively* unlikely that they'll have turned it off, or 
will do so. (The same goes for Windows Update, only I have yet to hear 
that when you install an OS X patch, it tells you it's installed the 
update, only it hasn't, unlike some other package update mechanisms I 
suppose we could mention. ;-)

Panther (OS X.3) will have reboot-less updates, apparently.

Also, the "OMFG THAT OS HAD A VULNERABILITY OMFG WTF" is rather silly. 
Applications have bugs. Patches get written. Hopefully they get 
applied.

How many Linux users are still running a ptrace-vulnerable kernel? Or 
how many FreeBSD users haven't cvsup'd up and rebuilt their kernel? How 
many never got the vuln reports in the first place?

Users are users.

So it goes.
--
bda
Cyberpunk is dead.  Long live cyberpunk.
http://mirrorshades.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html