Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Web sites compromised by IIS attack
From: "Willem Koenings" <isec () europe com>
Date: Fri, 02 Jul 2004 18:55:04 -0500


Like I said, Do you REALLY want a vendor to install patches for you? 

Absolutely. Have them send a technician ON SITE. Have them STAY and fix 
the product until it is working. (Free of charge mind you... just like 
the free repair of a recalled water pump for your car). If applied 
patches crash the system further, it is the responsibility of that 
technician (representing the vendor) to get it back in working order. 

frank, this is not a kindergarden list. this not a housewife support
list. this is a security list, this a full disclousure list. period.
any adequate member of this list should and must apply security fixes
and patches by himself/herself, after testing. if there is no patches
released meanwhile, he/she should be reasonable adequate to take 
measures to mitigate attack vectors until fixes is released. allowing
third party technician to access your system and installing unverified
paches is a serious security issue.

willem
-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]