Microsoft XP SP2 (was Re: Lazy network operators - NOT)

• Previous message (by thread): Microsoft XP SP2 (was Re: Lazy network operators - NOT)
• Next message (by thread): Microsoft XP SP2 (was Re: Lazy network operators - NOT)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 2004-04-18 at 23:16, Sean Donelan wrote:
>
> When the Morris worm was release, there wasn't a patch available.  Since
> then essentially every compromised computer has been via a vulnerability
> with a patch available or misconfiguration (or usually lack of
> configuration).

Key word here is "essentially". I've been involved with about a half
dozen compromises that have been true zero days. Granted that's less
than ground noise compared to what we are seeing today.

> As far as improvements go, Microsoft's XP SP2 is a great improvement.  If
> you have a Window's machine, implementing XP SP2 could help with a lot of
> the stupid vulnerabilities.  Unfortunately less than 50% of Internet users
> have XP.

This ends up being a catch 22 all the way around. Since MS has focused
on locking down XP, they have ended up focusing on a minimal market
share of the problem. With this in mind, I don't think we are going to
see things getting any better now that SP2 is out. For the end user
running 2000 or less, it ends up sounding like "we screwed up and sold
you an insecure product so now we want you to to give us more money in
order to fix the problem". A fix that addressed the problem in a more
universal fashion would have been cool. 

> Should ISPs start requiring their users to install Windows XP SP2?

Many folk have already commented on the economics of trying to require
this. I think technically it would be hard to implement as well. I've
done a lot of work with passive fingerprinting and from my observations
you don't see enough of a difference in the packet creation to tell the
difference between patched and unpatched systems. This leaves you with
active fingerprinting which may fail if a personal firewall is active,
or loading software on their system which is now a whole other support
nightmare. Lots of overhead for little gain in my opinion.

Also, don't underestimate a person's ability to shoot themselves in the
foot. Windows 2003 server, out of the box, is technically one of the
most secure operating systems out there because it ships with no open
listening ports. Based on the auditing I've done however, it ends up
being deployed even less secure than 2000 because a lot of admins end up
doing the "turn everything on to get it working" thing. An uneducated
end user is not something you can fix with a service pack.

Chris

• Previous message (by thread): Microsoft XP SP2 (was Re: Lazy network operators - NOT)
• Next message (by thread): Microsoft XP SP2 (was Re: Lazy network operators - NOT)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]