[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: NT RPC Hotfix
From:       Darren Reed <avalon () coombs ! anu ! edu ! au>
Date:       1997-01-24 19:11:45
[Download RAW message or body]

In some mail from Aleph One, sie said:
>
>    Microsoft just released a hotfix for the RPC vulnerability:
>
> ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/
> hotfixes-postSP2/RPC-fix
>
>   Their quick turn aroudn time leaves to shame Unix vendors that take
> weeks or months to provided a patch. Oh well.

The "hotfixes", I'm sure, Unix vendors can supply just as quickly, but who
wants to run a "beta-fix" ?

I've seen Unix vendors come out with fixes just as quick, but not very often.

I've had Sun hand me back patches to test, rather timely too, when I've
raised a problem under a support contract.  I expect any Unix vendor
would do the same if you raised a high priority call, but most of the
people who bitch about it probably either don't have support or just
don't lodge calls.

Maybe next time you're talking to your vendor with whom you have a support
contract you should mention that if Microsoft can provide bug fixes so
quickly why can't they.  Heck, you might even get somewhere and they
might decide to lift their game if they realise they realise their
profits are under threat.

I've seen the source of the problem which Unix sys admins are left to deal
with and it's usually their bosses or others or purchasing officers who
don't ever consider security (and attention to it in the form of providing
timely updates to deal with issues raised on the 'net) when drafting
purchase orders or tender requirements.  When root directories are world
writable, shell scripts are written (running as root) that create files in
/tmp (mode 666) and so on, do you think anyone cares how secure the version
of Unix they buy is ?

Doesn't everyone know about the ~+~ story for SunOS4 and 4.1.4 ?  It was
put back in /etc/hosts.equiv for distribution because of customer demand
after it was removed for 4.1.3(_U1 ?).

Darren

[prev in list] [next in list] [prev in thread] [next in thread]