Security updates are not the all-in-one soluton to the problem for many reasons.
First off all, the developers must first know of an exploit to make a update about it. In most cases, when an exploit is discovered, the hacker-group keeps it a secret within their "circle of hackers". They use it as much as possible before claiming fame to it and publishing the exploit on the web. Its a fact that most people do not update their servers often enough the benefit from the protection
offered by the patches/updates. This is especially true for web servers. Desktop users tend to be notified by their OS that there are updates available and unix users tend to not have that setup (although it can be setup and should be).
Redhat's up2date is a good feature of RedHat Linux.
Everyone who has a RedHat server should go to:
http://www.redhat.com/errata
and do all the security and bug fix updates to their servers.
Rootkits allow any local user to become root.
So if you are a local user, yes, you can escalate to root if you know of
an exploit (and there are thousands) that the server owner failed to
update/fix/secure.
Also, regardless of root access, even if they are stuck in regular user mode....
They can:
Download your password files for your web site and run crack on them which
will decode them so they can post them to their password trading sites....
Download other text based files like databases, email lists and the like.
Credit card files if you have them in web-space....
Etc.....
Of course epocs problem isn't the sole problem in the world of hackers....
Epoch's shoddy programming *is* the problem for this particular incident
of a user doing what he or she is not supposed to do............ run commands
on your system.
Running a cgi-wrapper is a good idea for everyone. Sudo the scripts etc...
Even that has its failures though.
All I can say is update, use a firewall or iptables/ipchains to close restricted ports
and use by all means SSH not telnet and sftp not FTP.
-Chris