read and answer the question. security class

Sigchi4life
Category:
Computer Science
Price: $5 USD

Question description

On most top ten mitigation lists is the need to keep systems patched.  The articles and comments below indicate that patching is not always effective.  Read one of the articles below and provide a unique and relevant comment supporting patching or describing its cons.

Microsoft Patch Tuesday (November 11 & 12, 2014)

On Tuesday, November 11, Microsoft released 14 bulletins to address 33 vulnerabilities in a variety of products. Two bulletins that were originally scheduled for release have been held back due to concerns that they did not adequately address certain security issues in Microsoft Exchange Server. 

-https://technet.microsoft.com/library/security/ms14-nov -http://www.zdnet.com/ms-exchange-updates-delayed-until-december-7000035755/ -http://www.scmagazine.com/microsoft-remediated-33-vulnerabilities/article/382691 / -http://www.computerworld.com/article/2846448/november-patch-tuesday-a-massive-up date-with-a-few-misses.html

 Among the vulnerabilities addressed is a critical flaw that affects all versions of Windows since Windows 95 and has existed for nearly 20 years. This particular flaw could be exploited to launch drive-by attacks and run code remotely. It also circumvents Microsoft's Enhanced Mitigation Experience Toolkit (EMET).

http://www.darkreading.com/vulnerabilities---threats/microsoft-fixes-critical-19 -year-old-schannel-bug-but-no-patch-for-xp/d/d-id/1317423? -http://www.theregister.co.uk/2014/11/12/driveby_unicorn_0day_beats_emet_affects_ all_windows_versions/ -http://www.bbc.com/news/technology-30019976

[Editor's Note (Ullrich): This was not only a large, but also a very "tricky" patch Tuesday. First of all, with MS14-066 (SCHANNEL), Microsoft dropped the first unauthenticated remote code execution vulnerability in years. This fall could become a huge problem, even though it looks that up to this point, exploitation will be a bit more difficult. To make things worse, Microsoft's bulletin and patch quality seems to be waning. Two of the bulletins announced for November have been moved to December without further announcement. The bulletin for MS14-066 is lacking significant details, for example the fact that this patch covers multiple flaws (a certificate evasion flaw plus at least two buffer overflows). MS14-064 is another incomplete attempt to fix the ongoing "sandworm" OLE issue, and apparently it is still not complete (the first attempt, MS14-060 fell short as well). Microsoft used to do better then that. (Murray): Does the risk really go up simply because support ends on a mature product or is the risk, if any, in the continued use of an obsolete product? I am reminded that ShellShock was at least twenty-five years old.  While it made systems in which it was used vulnerable, it seems to me that it operated the way that it was intended to operate. It was an embedded escape mechanism, one of many.  The real vulnerability was in the use of a component that was not fully understood.  "Software Engineering" is a contradiction in terms if it does not include the concept of "strength of materials."  It may be an over constrained problem, but if so, we should not call it engineering. ]


Tutor Answer

(Top Tutor) Daniel C.
(997)
School: UC Berkeley
PREMIUM TUTOR
Studypool has helped 1,244,100 students
Ask your homework questions. Receive quality answers!

Type your question here (or upload an image)

1820 tutors are online

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors