#!/usr/local/bin/perl
#
#   header.cgi
#
#   Output standard CNS Security webpage headers (call using SSI include
#   directive in shtml file)
#

use warnings;
use strict;
use lib ('lib');
use CGI qw/:standard/;
use SecHdr;

print header;				# HTTP headers (even though SSI
					# include, Apache will expect this)

#SecHdr::header('printpage.js');				# Security headers
SecHdr::header();				# Security headers



<center>
<h2>Patching</h2></center>
<h3>What is a patch?</h3>
<p>As the name implies, a patch is a fix. Applied to computers, it is a fix for a software problem. Patches usually come in the form of a program that is designed to fix (or patch) another program.</p>

<h3>Why are patches needed? My program works fine!</h3>
<p>In some programs, subtle bugs or loopholes are discovered that would allow an attacker to do something the program was not originally intended for. In most cases, these bugs are never seen by the common user while executing the program.</p>

<h3>I don't understand how a "bug" could make me vulnerable.</h3>
<p>Suppose a programmer wants a field that allows the user to enter a password. Now, if the programmer allowed only, say, 64 characters in memory to hold this password, and didn't check the entered length, what would happen if 65 characters were entered? The last character would overwrite a character in memory. By carefully crafting these overwriting characters, one has built a simple type of exploit called a buffer overflow.</p>

<h3>Ok, I have many programs, how can I know if there are bugs?</h3>
<p>Usually, the vendor of the software will respond to a bug report and release either a new version of the software (one form of a patch), or a program to fix the software (another form of a patch).<br><br>

For the Microsoft Windows operating systems, the task is nicely automated - a website can check all the operating system components, and update them accordingly. The website is:<br><br>

<a href=http://www.windowsupdate.com>www.windowsupdate.com</a><br><br>

You can also learn to set up windows to automatically <a href=ms_auto_updates.shtml>update itself</a>.

</p>

<h3>How often should I check for updates, or patches?</h3>

The security team recommends checking once a week. It is also advisable to peruse some security related websites, for more up to date news on new bugs that are discovered, and new patches that may be applied. We recommend this website:<br><br>

<a href=http://www.incidents.org>http://www.incidents.org</a>

<h3>What if I don't run windows?</h3>

Users of unices varients sometimes have it tougher. Oftentimes, programs that listen on the internet (and are therefore susceptible to remote attacks) are separate from the operating system (eg OpenSSH, Apache), and therefore need to be checked for patches on an independant basis. While we know that Fedora linux has an automatic updates feature, users of other unices should probably consult with the vendor of their particular distribution (Mandrake, Slackware, SuSE, etc.)

#!/usr/local/bin/perl
#
#   footer.cgi
#
#   Output standard CNS Security webpage footers (call using SSI include
#   directive in shtml file)
#

use warnings;
use strict;
use lib ('lib');
use CGI qw/:standard/;
use SecHdr;

print header;				# HTTP headers (even though SSI
					# include, Apache will expect this)

SecHdr::footer;				# Security footers

This file last modified Thursday, 04-May-2006 15:03:14 EDT
    </p>
</body>
</html>