Jon- You brought up a fundamental point. You made the point that everything would be fine if everyone just patched their systems. While that is completely true, it is unfair to write-off the difficulty/impossibility of that actually happening. We talk with ISS customers all the time that tell us how many millions (yes, millions) of dollars it costs to deploy patches across a global infrastructure. I'm talking about a patch, not a service pack. The costs of building out a security group, testing patches, and deploying patches is immense and extremely prohibitive. We have customers that are running thousands of Web servers and thousands of Database servers across global networks.
This is why ISS has made a fundamental strategic shift towards Dynamic Threat Protection and why we have introduced the concept of a "Virtual Patch". Security groups and vendors have largely ignored this reality too long, and have always suggested that vulnerabilities were addressed when the patches were released. X-Force is here to discover vulnerabilities, and to elevate awareness around vulnerabilities that we feel represent a real threat. This is why we cracked open the Microsoft patch for MSRPC DCOM on July 16th and wrote our own exploit, and had protection in our product line the next day. That is the correct way to address high-risk issues. I'm not saying that you shouldn't patch, but our strategy is to help our customers develop a realistic plan when it comes to patching, and to continue to offer protection in the meantime. Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D [EMAIL PROTECTED] 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net =============================== -----Original Message----- From: Portz, Jon [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 3:29 PM To: Ingevaldson, Dan (ISS Atlanta); [EMAIL PROTECTED] Subject: RE: [ISSForum] ISS Security Brief: UPDATED MSRPC DCOM Worm Variants Propagating That wasn't my point at all; I realize that the impact is rather wide spread and serious. My point was that as soon as someone changes a semicolon in the, poorly-written code, it becomes a new variant and gets 5 more minutes on CNN. As for the ICMP storms, you and I both know that those can be mitigated by well placed ACLs within an org or ISP. My horrible attempt at making a point was meant to surmount to this: If you would just patch your systems, this would not be happening to you right now. All of these worms are exploiting KNOWN OS vulnerabilities, be it WebDAV or the RPC Flaw. Am I alone in not having much sympathy for persons affected by these exploits? I mean come on; you had almost an entire month to patch your systems. What that amounts to is reprehensible systems administration and management. Thanks, JP -----Original Message----- From: Ingevaldson, Dan (ISS Atlanta) [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 2:50 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ISSForum] ISS Security Brief: UPDATED MSRPC DCOM Worm Variants Propagating Jon- You are correct that the worm is poorly written. I don't agree that the information surrounding the issue is "hype". Many networks have been impacted by ICMP storms related to the 300 threads per infected hosts pinging and scanning like crazy. Nachi also has an entirely new exploit vector in the WebDAV exploit. One such report: http://story.news.yahoo.com/news?tmpl=story&cid=581&ncid=581&e=1&u=/nm/2 0030819/tc_nm/airlines_aircanada_virus_dc Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D [EMAIL PROTECTED] 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net =============================== _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
