Yes. There are two different lessons here. First, auto-installed patches can be a bad thing. Second, technology where patches are hard to install or uninstall is very dangerous, especially in production environments. (That latter was, as I recall, one of the issues with the Struts vulnerability that was used to hack Equifax some years ago.)
https://mastodon.laurenweinstein.org/@lauren/112813420749045364
Steve Bellovin /
npub1dk…l9d5z
2024-07-19 13:41:41
Author Public Key
npub1dk39y0fzlcstnc3y6w3l4g9fvc54us78adl9t6vala9hd206pfdqxl9d5zPublished at
2024-07-19 13:41:41Event JSON
{
"id": "d43d499c2cd291a9da5c5c42c6c2c6a5f055d8664cb87f56ef7ca789c422fc2d",
"pubkey": "6da2523d22fe20b9e224d3a3faa0a966295e43c7eb7e55e99dff4b76a9fa0a5a",
"created_at": 1721396501,
"kind": 1,
"tags": [
[
"proxy",
"https://mastodon.lawprofs.org/users/SteveBellovin/statuses/112813441102839764",
"activitypub"
]
],
"content": "Yes. There are two different lessons here. First, auto-installed patches can be a bad thing. Second, technology where patches are hard to install or uninstall is very dangerous, especially in production environments. (That latter was, as I recall, one of the issues with the Struts vulnerability that was used to hack Equifax some years ago.)\nhttps://mastodon.laurenweinstein.org/@lauren/112813420749045364",
"sig": "b43133c6cd911a23b8880efc3d95a867f090c9d8baab2bf2664b8ac2ad86024c66b12f7809c3f5fcfa01f863db70cce6dbdb23c9b6c2854326d345e8a3e7e597"
}