security class be writer and professional

timer Asked: Nov 25th, 2014

Question description

On most top ten mitigation lists is the need to keep systems patched.  The articles and comments below indicate that patching is not always effective.  Read one of the articles below and provide a unique and relevant comment supporting patching or describing its cons. two paragraphs 


On Tuesday, November 11, Microsoft released 14 bulletins to address 33 vulnerabilities in a variety of products. Two bulletins that were originally scheduled for release have been held back due to concerns that they did not adequately address certain security issues in Microsoft Exchange Server. 

- - - / - date-with-a-few-misses.html

 Among the vulnerabilities addressed is a critical flaw that affects all versions of Windows since Windows 95 and has existed for nearly 20 years. This particular flaw could be exploited to launch drive-by attacks and run code remotely. It also circumvents Microsoft's Enhanced Mitigation Experience Toolkit (EMET). -year-old-schannel-bug-but-no-patch-for-xp/d/d-id/1317423? - all_windows_versions/ -

[Editor's Note (Ullrich): This was not only a large, but also a very "tricky" patch Tuesday. First of all, with MS14-066 (SCHANNEL), Microsoft dropped the first unauthenticated remote code execution vulnerability in years. This fall could become a huge problem, even though it looks that up to this point, exploitation will be a bit more difficult. To make things worse, Microsoft's bulletin and patch quality seems to be waning. Two of the bulletins announced for November have been moved to December without further announcement. The bulletin for MS14-066 is lacking significant details, for example the fact that this patch covers multiple flaws (a certificate evasion flaw plus at least two buffer overflows). MS14-064 is another incomplete attempt to fix the ongoing "sandworm" OLE issue, and apparently it is still not complete (the first attempt, MS14-060 fell short as well). Microsoft used to do better then that. (Murray): Does the risk really go up simply because support ends on a mature product or is the risk, if any, in the continued use of an obsolete product? I am reminded that ShellShock was at least twenty-five years old.  While it made systems in which it was used vulnerable, it seems to me that it operated the way that it was intended to operate. It was an embedded escape mechanism, one of many.  The real vulnerability was in the use of a component that was not fully understood.  "Software Engineering" is a contradiction in terms if it does not include the concept of "strength of materials."  It may be an over constrained problem, but if so, we should not call it engineering. ]

Tutor Answer

(Top Tutor) Studypool Tutor
School: Cornell University
Studypool has helped 1,244,100 students
flag Report DMCA
Similar Questions
Hot Questions
Related Tags

Brown University

1271 Tutors

California Institute of Technology

2131 Tutors

Carnegie Mellon University

982 Tutors

Columbia University

1256 Tutors

Dartmouth University

2113 Tutors

Emory University

2279 Tutors

Harvard University

599 Tutors

Massachusetts Institute of Technology

2319 Tutors

New York University

1645 Tutors

Notre Dam University

1911 Tutors

Oklahoma University

2122 Tutors

Pennsylvania State University

932 Tutors

Princeton University

1211 Tutors

Stanford University

983 Tutors

University of California

1282 Tutors

Oxford University

123 Tutors

Yale University

2325 Tutors