
Full Disclosure mailing list archives
Re: Expired certificate
From: Charles Morris <charlesmorris () gmail com>
Date: Wed, 4 Aug 2010 16:01:30 -0400
On Wed, Aug 4, 2010 at 2:44 PM, Marsh Ray <marsh () extendedsubset com> wrote:
On 08/04/2010 09:44 AM, Paul Schmehl wrote:--On Monday, August 02, 2010 12:36:37 -0400 Elazar Broad<elazar () hushmail com>Spot on. I know of one large accounting/ERP system(which shall remain nameless, though I am sure there are those out there who have come across it) that checked the SQL version, including the revision number at runtime, which made patching SQL impossible.In those cases where there are such systems, there should be mitigating controls around them that increase the difficulty of break-in. Otherwise the IT department is negligent.It's not the IT department's fault if the vendor ships a product that refuses to run with a patched system. There have always been products out there that behave like this, it's a simple coding or policy mistake to make. The attraction is that they don't have to support any configuration that they haven't tested. Unfortunately, products that do so are straying away from the herd and choosing not to participate in its collective defense. They are still subject to all the same published attacks, but cannot benefit from the standard update and patch cycle. A secondary effect is that since it's so hard to predict the security of such a system over the long term, they simply can't be considered when developing general guidelines and best practices. For example, we might be discussing the schedule of disclosing a bug in the SQL vendor's product. If the SQL vendor can patch it easily for their primary customer base, those oddball downstream vendors are just not going to get much consideration. Eventually, they will probably tire of playing catch-up and adjust their policy. - Marsh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
This is all true, however Paul is also correct. In the real world where you may not get to make the decision of what software products to implement, mitigating controls for that exposure must be put into place; whether they be firewalls, patches, extensive logging, or etc. It isn't the IT Department's fault that the product is garbage, however it is the IT Department's fault if they don't control and isolate it. The reality is that when you walk into a room one of your options isn't always "clean house".. - Charles _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Expired certificate Pavel Kankovsky (Aug 01)
- <Possible follow-ups>
- Re: Expired certificate Elazar Broad (Aug 02)
- Re: Expired certificate Paul Schmehl (Aug 04)
- Re: Expired certificate Marsh Ray (Aug 04)
- Re: Expired certificate Charles Morris (Aug 04)
- Re: Expired certificate Paul Schmehl (Aug 04)
- Re: Expired certificate Leif Nixon (Aug 31)