[Dailydave] The long tail of vulnerable operating systems

Katie M k8ek8e at gmail.com
Wed Nov 14 14:48:45 EST 2007 

What is this, full disclosure? I thought we were on DailyDave! ;-)
No, it wasn't them and I won't tell who since they were my client and
I am under NDA.

The point of my post wasn't to expose any particular company, but to
comment that older OSes, less-than-fully-patched current OSes, and
other older software are still very relevant in terms of security
today. We not only need to remember the exploits, but also look for
practical ways to protect what is really out there.

-Katie.


On 11/14/07, Adriel Desautels <adriel at netragard.com> wrote:
> Kaite,
> 	The company with all of the old systems wouldn't be CFI by chance would it?
>
> Regards,
> 	Adriel T. Desautels
> 	Chief Technology Officer
> 	Netragard, LLC.
> 	Office : 617-934-0269
> 	Mobile : 617-633-3821
> 	http://www.linkedin.com/pub/1/118/a45
>
> ---------------------------------------------------------------
> Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> Penetration Testing, Vulnerability Assessments, Website Security
>
>
> Katie M wrote:
> > Hey Dave,
> >   Lots of places have older OSes deployed, perhaps only internally as
> > you mentioned, but companies are rife with them, and sometimes closer to
> > the perimeter than you'd expect.  On a consulting enagagement, I met a
> > Fortune 50 company that had a massive internal deployment of Windows 98
> > (yeah, I know, weird but here's why) because they had some biz critical
> > crapplication that nearly everyone needed to use that would only run on
> > Win98.  I told them to hire some developers or interns or somebody,
> > anybody, to rewrite the thing from scratch.  :-)
> >
> >   Of course they and all those other places that run old OSes *should*
> > welcome themselves into this millenium's operating systems -- we all
> > agree there.  No need to start arguing the obvious.  But the point is
> > that more than enough orgs (won't or) don't have the resources to
> > upgrade (or to update) due to app compatibility.  That's the reality and
> > the reason why attacking older OSes at a CTF-like event is still
> > pertinent and practical.
> >
> > My 0.01 pence.
> >
> > -Katie
> >
> >
> > On Nov 12, 2007 3:03 AM, Dave aitel <dave at immunityinc.com
> > <mailto:dave at immunityinc.com>> wrote:
> >
> > So every CTF I've played recently (like the one at CSI last week) has a
> > target set of Windows 2000 and extremely old Linux (say, RedHat 8). I'm
> > pretty sure that on any modern network you don't find a whole lot of
> > either of these. There's always the people who still run NT4 and SCO
> > OpenServer, but you have to look pretty far for them. But yet, no real
> > remote exploits exist for Fedora Core 1, much less 7. Solaris has XFS
> > and a few other remotes, but no one runs Solaris any more except the US
> > Government, that I can tell. Even assuming you see some Solaris or AIX
> > or whatever, you end up being so deep in the network already to find it
> > that you've already got all the passwords and don't need exploits.
> >
> > But old operating systems will continue to live forever in CTF, I
> > assume.
> >
> > Sort of as a sign of the times, while I was playing CTF on the Windows
> > machine provided, I browsed the web briefly and my machine was
> > immediately taken over by some really annoying spyware. So for the rest
> > of the game I got to spend a lot of time clicking "close" on IE windows
> > that kept popping up.
> >
> > Anyways, if you want to chat about it or grieve the pain of lost 0day,
> > and you live in London then you should come to Immunity Pub Night In
> > London Saturday Nov 24 at 6pm at the Price Arthur 80-82 Eversholt
> > Street. I'll put 200 quid on the bar to help you drown your sorrows.
> > RSVP to admin at immunityinc.com <mailto:admin at immunityinc.com>!
> >
> > -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com <mailto:Dailydave at lists.immunitysec.com>
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> <http://lists.immunitysec.com/mailman/listinfo/dailydave>
>
> > ------------------------------------------------------------------------
>
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
>

More information about the Dailydave mailing list