"Richard M. Smith" <[EMAIL PROTECTED]> quotes Mr. Gates: > And ducking questions by blaming the victim: > > Q. "The buffer overrun flaw that made the Blaster worm > possible was specifically targeted in your code reviews > last year. Do you understand why the flaw that led to > Blaster escaped your detection?" > > A. "Understand there have actually been fixes for all of > these things before the attack took place. The challenge > is that we've got to get the fixes to be automatically > applied without our customers having to make a special effort."
The "all of these things" part is not correct, according to several press reports. | Pentagon sources last week confirmed that officials are | investigating an apparent intrusion into at least one military | server through a previously unknown vulnerability in Microsoft | Corp.'s Windows 2000 operating system. <http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79626,00.html> | Update: In an unusual case, attackers have begun exploiting a new | Microsoft bug before the flaw was widely known. Microsoft is urging | sites to patch their servers as quickly as possible | | Microsoft warned customers on Monday that a security hole in Windows | 2000 and the company's Web server software is allowing online | attackers to take control of corporate servers. | | Because the vulnerability is being actively exploited by Internet | vandals, Microsoft advised customers to apply a patch or use a | workaround to defend against the attack as soon as possible. One of | the servers attacked belonged to the US Army, according to reports. <http://news.zdnet.co.uk/business/0,39020645,2132071,00.htm> | A hacker last week exploited a previously unknown vulnerability in | Microsoft Corp.'s Windows 2000 operating system to gain control of a | military Web server, and the extent of the damage done is still | unknown. <http://www.fcw.com/fcw/articles/2003/0317/web-hack-03-18-03.asp> There's still an unpatched RPC vulnerability (however, only DoS has been publicly demonstrated so far): <http://cert.uni-stuttgart.de/archive/bugtraq/2003/07/msg00254.html> Of course, it's convenient to ignore such problems and declare that regularly applied patches pave the way to secure software. But patching is a countermeasure that is merely in vogue right now. It's just a question of time when this approach will break in a very obvious manner (that cannot be blamed on sloppy system administration easily), and we have to try something different. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
