??? Virtually no software is guaranteed to be free from defects.
??? Most end-user license agreements (EULAs) require the user of a piece of
software to hold the author of the software free from blame for any damage
caused by the software.
Given these circumstances, who is to blame when a computer system is broken into
because of a newly discovered vulnerability in an application or the operating system
that happens to be running on that computer? Arguments are made either way, blaming
the vendor for creating the vulnerable software in the first place, or blaming the user for
failing to quickly patch or otherwise mitigate the problem. The fact is, given the current
state of the art in intrusion detection, users can only defend against known threats. This
leaves the passive user completely at the mercy of the vendor and ethical security
researchers to discover vulnerabilities and report them in order for vendors to develop
patches for those vulnerabilities before those same vulnerabilities are discovered and
exploited in a malicious fashion. The most aggressive sysadmin whose systems always
have the latest patches applied will always be at the mercy of those that possess zero-day
exploits. Vendors can??™t develop patches for problems that they are unaware of or refuse
to acknowledge (which defines the nature of a zero-day exploit).
Pages:
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604