[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Web sites compromised by IIS attack

To: FULL-DISCLOSURE@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Web sites compromised by IIS attack
From: "Willem Koenings" <isec@xxxxxxxxxx>
Date: Fri, 02 Jul 2004 18:55:04 -0500

> > Like I said, Do you REALLY want a vendor to install patches for you? 
> 
> Absolutely. Have them send a technician ON SITE. Have them STAY and fix 
> the product until it is working. (Free of charge mind you... just like 
> the free repair of a recalled water pump for your car). If applied 
> patches crash the system further, it is the responsibility of that 
> technician (representing the vendor) to get it back in working order. 

frank, this is not a kindergarden list. this not a housewife support
list. this is a security list, this a full disclousure list. period.
any adequate member of this list should and must apply security fixes
and patches by himself/herself, after testing. if there is no patches
released meanwhile, he/she should be reasonable adequate to take 
measures to mitigate attack vectors until fixes is released. allowing
third party technician to access your system and installing unverified
paches is a serious security issue.

willem
-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Web sites compromised by IIS attack
  - From: Ron DuFresne

Prev by Date: Re: Betr.: Re: [Full-Disclosure] Fix for IE ADODB.Stream vulnerability is out
Next by Date: [Full-Disclosure] Public Review of OIS Security Vulnerability Reporting and Response Guidelines
Previous by thread: RE: [Full-Disclosure] Web sites compromised by IIS attack
Next by thread: Re: [Full-Disclosure] Web sites compromised by IIS attack
Index(es):
- Date
- Thread