[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Web sites compromised by IIS attack

To: Willem Koenings <isec@xxxxxxxxxx>
Subject: Re: [Full-Disclosure] Web sites compromised by IIS attack
From: Ron DuFresne <dufresne@xxxxxxxxxxxxx>
Date: Sat, 3 Jul 2004 14:00:48 -0500 (CDT)

On Fri, 2 Jul 2004, Willem Koenings wrote:

>
> > > Like I said, Do you REALLY want a vendor to install patches for you?
> >
> > Absolutely. Have them send a technician ON SITE. Have them STAY and fix
> > the product until it is working. (Free of charge mind you... just like
> > the free repair of a recalled water pump for your car). If applied
> > patches crash the system further, it is the responsibility of that
> > technician (representing the vendor) to get it back in working order.
>
> frank, this is not a kindergarden list. this not a housewife support
> list. this is a security list, this a full disclousure list. period.
> any adequate member of this list should and must apply security fixes
> and patches by himself/herself, after testing. if there is no patches
> released meanwhile, he/she should be reasonable adequate to take
> measures to mitigate attack vectors until fixes is released. allowing
> third party technician to access your system and installing unverified
> paches is a serious security issue.
>

Frank's not advocating anyhting really new, or extraordinary here.  Where
I work, we have product vendors come in all the time to fix or tune an app
to our env or to correct problems with their product as it is deployed in
our env.  We just had veritas consultants in for over two months to fix
problems with our new netbackup env, consultants to fix our STK SANS
devices, etc.  but the contracts we sign for such products certainly
differ then those we often are forced to accept when we get systems with
an OS blown on them or buy the OS to install ourselves on said systems.
What Frank's advocating,, if I read him right, is that we as the customers
enmass need to demand more from OS vendors then the license agreements we
are now forced into by opening a package of CD's from M$, HP, SGI, etc...

One of the key reasons in these times that most IT depts are overworked
and understaffed and underfunded to boot, is that those IT folks
responsible for system maintainance are being forced to devote well over
1/3rd of their man hours to repeated patching.

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Web sites compromised by IIS attack
  - From: Jason Coombs

References:
- Re: [Full-Disclosure] Web sites compromised by IIS attack
  - From: Willem Koenings

Prev by Date: [Full-Disclosure] [SECURITY] [DSA 526-1] New webmin packages fix multiple vulnerabilities
Next by Date: Re: [Full-Disclosure] Successful in blocking all known exploits
Previous by thread: Re: [Full-Disclosure] Web sites compromised by IIS attack
Next by thread: Re: [Full-Disclosure] Web sites compromised by IIS attack
Index(es):
- Date
- Thread