More info. This seems pretty reasonable: http://castlecops.com/a6445-WMF_Exploit_FAQ.html Steve Gibson is also mirroring Guilfanov's bypass, and says Microsoft's cryptographically signed but unreleased patch is floating around the net now: http://www.grc.com/sn/notes-020.htm In my reading this is a serious vulnerability, but the self- inflating agitation in the "security community" has reached a highly annoying level. I'm in the FTDT (fix the damn thing) school; let's deal with it and get on with it. Every cycle spent moaning about the faults of Microsoft is a lost opportunity for something more productive. Back to /usr/lurk . . . regards, Fred -----------------
On Wed, 4 Jan 2006, Brance Amussen wrote:
Howdy, Here is the link to the unofficial patches creators site. http://www.hexblog.com/ This is the one sans links to. Sans seems to be having a hard day.. No Dshield mailings today either.. Isc.sans.org is sporadic as well..
According to isc.sans.org, hexblog.com was down due to bandwidth issues earlier. See the isc.sans.org homepage for details on alternate ways to get to it.
On Wed, 04 Jan 2006 13:36:53 PST, Fred Heutte said:
In my reading this is a serious vulnerability, but the self- inflating agitation in the "security community" has reached a highly annoying level. I'm in the FTDT (fix the damn thing) school; let's deal with it and get on with it. Every cycle spent moaning about the faults of Microsoft is a lost opportunity for something more productive.
How many times do you propose we FTDT before we get fed up and ask upper management to authorize a migration to some other software with a better record? And how many more FTDT's do we need to tolerate while we wait for upper management to authorize a migration? Or to put it differently - if you discovered that your router vendor was vulnerable because they had a proprietary BGP extension *designed* to deliver arbitrary code for execution, would you FTDT, or would you be on the phone with your vendor venting your outrage? And what if it wasn't the first, but more like the 10th year in a row that a similar design issue had surfaced? Would you still just FTDT? And while you're trying to figure out how to roll out a patch to 200 routers that are totally under your control, keep in mind that a *small* organization can have 30K PCs, not always totally managed. Still feel like just FTDT?
On Wed, Jan 04, 2006 at 05:58:16PM -0500, Valdis.Kletnieks@vt.edu <Valdis.Kletnieks@vt.edu> wrote a message of 46 lines which said:
How many times do you propose we FTDT before we get fed up and ask upper management to authorize a migration to some other software with a better record? And how many more FTDT's do we need to tolerate while we wait for upper management to authorize a migration?
There is no limit to what human beings can stand before becoming reasonable. That is human nature and the engineers' rationality is no match for it. Think about religion, for instance. A lot of people still believe in a supernatural being despite a very bad track record (much worse than MS-Windows').
Indeed. It's the security equivalent of "the market can stay irrational longer than you can stay solvent" - perhaps we could reformulate that as "the users can remain clueless longer than your business can survive the DDOS" On 1/5/06, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Wed, Jan 04, 2006 at 05:58:16PM -0500, Valdis.Kletnieks@vt.edu <Valdis.Kletnieks@vt.edu> wrote a message of 46 lines which said:
How many times do you propose we FTDT before we get fed up and ask upper management to authorize a migration to some other software with a better record? And how many more FTDT's do we need to tolerate while we wait for upper management to authorize a migration?
There is no limit to what human beings can stand before becoming reasonable. That is human nature and the engineers' rationality is no match for it.
Think about religion, for instance. A lot of people still believe in a supernatural being despite a very bad track record (much worse than MS-Windows').
We're looking at purchasing MPLS services for locations nationwide. Does anyone have personal experiences they'd care to share about providers...the good, the bad, the ugly? I'm not looking for public bashing, just data to differentiate one from another. Any comments or direction appreciated. Andrew
participants (5)
-
Alexander Harrowell -
Andrew Staples -
Fred Heutte -
Stephane Bortzmeyer -
Valdis.Kletnieks@vt.edu