Security Incidents mailing list archives

Re: AIM Password theft VU#865940

From: "CERT(R) Coordination Center" <cert () cert org>
Date: Thu, 25 Sep 2003 15:37:59 -0400

-----BEGIN PGP SIGNED MESSAGE-----


Meritt James <meritt_james () bah com> writes:

How about blaming him for not applying a fix for a terrible flaw and
then trying avoid the blame by passing it to someone else?


The patch does not work.

This is a widespread problem, in my opinion.  Fixes and patches exist
but are not applied by "administrators."


There are at least three parties to blame (in rough order of
culpability):

 1. attacker/malicious actor who seeks to exploit my system
 2. vendor who wrote/sold insecure software
 3. user/admin who does not configure/patch/operate securely

For 3., keep in mind that an admin may have to consider many patches
each week.  Which remote root should she patch first?  If she has any
concern for the stable operation of her network, she might test the
patch for some period of time.  Does this admin have 10 hours this
week to spend reading, downloading, cataloging, testing, and pushing
out patches?  20?  40 hours?  Does she have any other work to do?

And yes, there are admins who just don't bother.

More to the point in this case, the patch is incomplete, so one can't
blame the admin for not patching.  Should the admin research and roll
out a configuration or registry change instead?

Valdis.Kletnieks () vt edu wrote:


On Wed, 24 Sep 2003 08:35:32 EDT, Jamie Pratt <jamie () nucdc org>  said:

Anyone know when this will terrible flaw be fixed by MS?


Fixed back on August 20.  Can't blame Microsoft for not fixing it.

http://www.microsoft.com/technet/security/bulletin/MS03-032.asp


As Jared Bergeron pointed out, one could blame MS for not fixing it,
since in fact they did not fix it.  The patch for MS03-032 breaks one
of at least three exploit vectors and does not seem to address the
underlying vulnerability.

  <http://www.microsoft.com/technet/security/bulletin/MS03-032.asp>

  <http://www.kb.cert.org/vuls/id/865940>


Regards,

  - Art


             Art Manion  --  CERT Coordination Center
    <http://www.cert.org/>   <cert () cert org>   +1 412-268-7090
         E0 1E DF F5 FC 76 00 32  77 8F 25 F7 B0 2E 2C 27


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBP3NH5jpmH2w9K/0VAQGOqwP8Ci/+Tu6ce+EowMx3XjNkC5NZ6HxIg979
FEbTlkKvOg9/bm97V4F3mteHZXpMI49Z2uJOroLCQGI5e0R3X98MLes2pi882EIy
9T4zm/nD11kLDuPpIKPdujB2UlRcQ773pvcpfimf16FImomkf4GdJfh4nuNjMyj9
91Nh/FLO+28=
=mT+5
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

AIM Password theft Mark Coleman (Sep 23)
- Re: AIM Password theft Lothar Kimmeringer (Sep 23)
  - Re: AIM Password theft Jamie Pratt (Sep 24)
    - Re: AIM Password theft Valdis . Kletnieks (Sep 24)
    - Re: AIM Password theft Meritt James (Sep 25)
    - Re: AIM Password theft VU#865940 CERT(R) Coordination Center (Sep 25)
- <Possible follow-ups>
- RE: AIM Password theft Andrew McKnight (Sep 24)
  - Re: [incidents] RE: AIM Password theft Tim Kennedy (Sep 24)
  - Re: AIM Password theft Rick Updegrove (Sep 24)
    - Re: AIM Password theft Meritt James (Sep 25)
- RE: AIM Password theft Bergeron, Jared (Sep 24)