> On Wednesday 12 November 2003 12:47 pm, jgw wrote: > : > FYI, beginning this month, MS changed to announcing/releasing critical > : > update security patches only on the second Tuesday of each month. > : > : If this is true, this plan isn't going to last long. Any hack victim > would > : have a heyday in court if it could prove that Microsoft knowingly knew > : about an exploit, and held onto an announcement/patch for a month. > You mean like the port exploit the the blaster worm uses ? I think they > knew > about the issue 2 years ago!
This is a common piece of FUD spread by the anti-Microsoft crowd. The patch for that vulnerability was issued nearly a month before Blaster. I believe Blaster first showed up around August 11th. The patch in question, MS03-026, came out in mid-July... the 16th? The worm was relatively successful not because Microsoft hadn't yet issued a patch, it was successful due to lazy sysadmins not patching their systems in a timely manner. Certainly, not a Windows 2000-specific issue. This same bit of FUD was spread about the Slammer worm and it's associated vulnerability. The patch for that vulnerability was patched some 5 months before the Slammer worm appeared. That patch was quite difficult to install, however. Microsoft kind of rushed that one out. Regardless, the patch was included in the next service pack, which I believe, was a month or so before the Slammer worm came out. Thus, users had two chances to patch their systems for that one. /jgw _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
