I understand the code is different, but the result should be the same. One is either vulnernable or not. We check for vulnerablities to assess risk. If I can apply a patch and still be vulnerable, either through negligence (not rebooting)or errors in the patch itself, then just check for the exploit to begin with. Unless it is a DoS, the latter seems the more accurate anyway. Or at least have the results of each check report to one table entry. That way I can assess whether to apply the patch, remove the serice/program or operate with the risk. Thanks for the discussion!
** The opinions expressed here are my own and are not a reflection of my company or the goverment. ** Mark P. Evans Northrop Grumman IT DISA Field Security Operation (OP74) Bldg 1C - LEAD 1 Overcash Ave Chambersburg, PA 17201 -----Original Message----- From: Washburn, Lisa (ISSAtlanta) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:03 PM To: Evans, Mark (Contractor); [EMAIL PROTECTED] Subject: RE: [ISSForum] Another case of inflating the number of vulnerabilities found.. The reason ISS keeps these records separate is because the code used to detect each issue is very different. The checks associated with these records don't always produce the same results, thus we need two different records so that we can report on them separately. In your example, the patch check simply checks that the patch is installed, the other check detects if you are actually vulnerable to the specific buffer overflow. Sometimes a workaround may be just as valid a solution to a security issue as applying the patch. If that workaround was applied ,the patch check would flag the system as vulnerable, but the vulnerability check would not. Additionally, there are times when patches cover more than one unique security issue, and we may be able to determine multiple ways to detect the related vulnerabilities in addition to a patch check. -----Original Message----- From: [EMAIL PROTECTED] On Behalf Of Evans, Mark (Contractor) Sent: Monday, December 08, 2003 3:54 PM To: [EMAIL PROTECTED] Subject: [ISSForum] Another case of inflating the number of vulnerabilities found.. by Internet Scanner. Check 13480 WinMS03046 patch not installed is the same as ExchangeSMTPVerb Buffer Overflow (check 13432). They both check the same thing. Why can't they just release one check. Would it be so they can say "oh, we can have two checks more instead of one". Lets work smarter, not harder. More isn't always better. Mark P. Evans Northrop Grumman IT DISA Field Security Operation (OP74) Bldg 1C - LEAD 1 Overcash Ave Chambersburg, PA 17201 ** The opinions expressed here are my own and are not a reflection of my company or the goverment. ** _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
