Slashdot Mirror

← Back to Stories (view on slashdot.org)

Due Diligence?

Posted by michael on from the postscript-always-a-nice-touch dept.

ekr writes "The OpenSSL remote buffer overflows discovered at the end of July got a lot of press here on /. But how many people actually fixed their machines? I decided to study this question, and the results are kind of depressing. Two weeks after the release of the bug, over two thirds of the servers I sampled were still vulnerable. Even two weeks after the Slapper worm was announced, a third of the total servers were vulnerable. The paper can be found here in PDF or Postscript."

7 of 202 comments (clear)

  1. First post by Anonymous Coward · · Score: -1, Offtopic

    I hate waterloo, i'm going to burn this fucking school down!!!!

  2. First Post? by CowboyTodd · · Score: -1, Offtopic

    Does CowboyTodd get first post again?

  3. Sad day ... Stephen King dead at 55 by Anonymous Coward · · Score: -1, Offtopic


    I just heard some sad news on talk radio - Horror/Sci Fi writer Stephen King was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon.

  4. Test my firewall by Anonymous Coward · · Score: -1, Offtopic

    11.57.224.22

  5. 0.9.2b and 0.9.6b by roly · · Score: -1, Offtopic

    0.9.2b is weirdly popular because the extremely-popular Sun Cobalt RaQ 3 server appliance uses a security fixed 0.9.2b, but Sun Cobalt only released the fix for all thier appliances that use OpenSSL (Qube 3, RaQ 3/4/XTR/550 use OpenSSL) on October 1 2002 which left a large amount of servers vulnerable for a long time. 0.9.6b is popular because it is used in many places, including Cobalt RaQ 4 and XTR servers, Red Hat Linux 7.2/7.3/8.0 (Anyone know why RH8.0 is still 0.9.6b?) as well as a few versions of Mandrake. The significant amount of old unpatched versions is because there are many server admins with not much security knowledge (Mostly Cobalt RaQ users and people renting dedicated servers, I was once helping someone patch thier old Apache 1.3.19/mod_ssl/OpenSSL 0.9.6b/PHP 4.0.6 server once).

    --
    "With Microsoft, you get Windows. With Linux, you get the full house" - unknown
  6. Re:Due diligence. by Anonymous Coward · · Score: -1, Offtopic

    who the fuck says "the congress"(your sig)? No one that actually LIVES in America, that's for damn sure.

  7. Re:Securing OpenSSL by Flowers · · Score: 0, Offtopic

    Windows Update is a trojan. </obligatory aniti-MS sentiment>

    --
    Somehow, detached from my actual behavior, this innocence burdens me still.