MS releases patches once a month, we know that. Apple and Oracle for example, don't have a standard patching schedule, so when they do release patches (of which, they have known about for a long while) they are huge. The same types of vulnerabilities affect other OS's - a lot have to do with insecure 3rd party products like Adobe being installed on the system. A lot of times MS is securing issues created or revealed by other applications. Not all the time, but it does happen frequently.
With the way people use computers, I suspect there will never be a truly 100% secure system (not Windows specific, either). One vulnerability works this way, then later it works another way but using a similar base methodology. And, with technology changing constantly, the security landscape continually changes with it. Responsible vendors provide patches frequently. Responsible vendors also provide patches when something critical is brought to light. The only sure way to secure any system is to eradicate the hacker, Trojan/virus writer and eliminate the base human need to be evil. Patching, though, is only a small part of security. IT folks need to regularly practice security remediation. From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 12:31 PM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned NO Rod, it's the security community trying to help M$ get secure, if they was securing there products or at least the developers of the products, there wouldn't be these 0 days because the code would be secure!. (Well a lot less vulnerabilities) But when you look at the vulnerabilities from month to month, they are the same old things ( input validation, buffer overflow, stack overflow, bounds checking, information disclosure, don't they test fro these types of flaws during the development process, if not they need a lesson in SDLC as relates to security!)0 Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 _____ From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 12:07 PM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned Dang, Microsoft! I wish they'd stop trying to secure their products!!!! From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 12:00 PM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned Ok not so much of a trend, problem is they probably knew of the issue before this months patch cycle, and didn't release it with Critical rating on patch Tuesday but a week afterwards, during everyone(s) patching cycle for there information systems. Now we have to validate yet another patch and ask yet again for more downtime from the business on servers and workstations etc etc to get required patches on the machines to protect against the latest threat. What compounds it this month that there is already 11 patches to be tested, validated and deployed and vetted for issues afterwards, one of these patches is exploitable and could definitely lead to a worm (SMB flaw) now you add this remote exploitable, wormable patch, quiet possibly with public exploit code in the wild and active exploits, the risk factor goes up through the dam roof. Now imagine if you was the only person responsible for accomplishing all (4) tasks above, and this new exploit on top. That doesn't make for a happy camper in anyones reguards. Then factor the number of assets to protect by about 10,000. I think you start to get the idea, its pretty crystal clear in my mind. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 _____ From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 11:48 AM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned Trend? This is the first out-of-cycle patch from MSFT since April 2007. Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael Link with me at: http://www.linkedin.com/in/theessentialexchange From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 11:39 AM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned I am just pissed that they couldn't get this one out last week> Don't be surprised if you see a column in a leading magazine from me about this trend with M$ and other vendors. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 _____ From: Tim Vander Kooi [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 11:25 AM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned The report on line shows Reboot Required if you open all the drop downs. It is for Remote Code Execution. It is Critical for Server 2003 all SPs and XP all SPs, Important for Vista/SP1 and Server 2008. TVK From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 10:19 AM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned We wont know until 2:00est, I am assuming it is, and it's a bad one so there is probably exploit code for it roaming the internet and its probably wormable on top of it. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 _____ From: Tim Vander Kooi [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 11:16 AM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned And it does require a reboot after install. I hate when out of cycle patches require reboots. I prefer when my users don't know. From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 6:28 AM To: NT System Admin Issues Subject: Out of Cycle Critical Windows Patch to be released today, stay tuned Importance: High Heads up gang, more patching for this month, this one out of cycle and critical no additional information yet. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 _____________________________________________ <http://www.computerworld.com/action/article.do?command=viewArticleBasic&art icleId=9117878&source=NLT_AM&nlid=1> http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9117878&source=NLT_AM&nlid=1 As if the 11 patches this month wasn't enough, now they releasing an out-of-cycle critical patch, Gotta love patchin, Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
