On Sat, 11 Sep 2004, Chris Buechler wrote:
> On Fri, 10 Sep 2004 08:40:26 -0400, Michael Monaghan
> <mmonaghan at gmail dot com> wrote:
> > There are plenty of known vulnerabilities that Microsoft admits there
> > are no fixes for. The one used in this attack was unknown to MS PSS
> > and is still under study 2 months after the fact. A lot of people
> > would have ignored the attack because the Root Kit was almost perfect.
> > I think we can all agree everything has it's problems and in the
> > wrong or untrained hands things can be much worse. I do appreciate
> > your ideas on IIS. We've implemented them previously and it didn't
> > slow the attacker down.
> There could very well be unpublished exploits out there, but it's just
> as likely that there are unpublished/unknown exploits in Apache,
> FreeBSD, Linux, etc.
I would disagree with the "just as likely" part. Sure, *any* complex
piece of software has a risk of security holes (even OpenBSD has had *one*
remote exploit), but there's a difference between code written by people
who actually care about security and code written by people who approach
security issues with the same enthusiasm that kids have towards eating
their vegetables. :-)