Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > It's MS Patch time again (8 Highly Critical Patches, Linux anyone?)

Reply
Thread Tools

It's MS Patch time again (8 Highly Critical Patches, Linux anyone?)

 
 
Michael J. Pelletier
Guest
Posts: n/a
 
      02-09-2005
"Microsoft Corp. released eight security fixes Tuesday that carry its
highest threat rating and urged computer users to install them quickly
because all the vulnerabilities they address could let attackers take
complete control of systems."

http://story.news.yahoo.com/news?tmp...osoft_security
 
Reply With Quote
 
 
 
 
Joachim Schipper
Guest
Posts: n/a
 
      02-09-2005
Michael J. Pelletier <(E-Mail Removed)> wrote:
> "Microsoft Corp. released eight security fixes Tuesday that carry its
> highest threat rating and urged computer users to install them quickly
> because all the vulnerabilities they address could let attackers take
> complete control of systems."
>
> http://story.news.yahoo.com/news?tmp...osoft_security


As much as I support Linux, though, there have been quite a few kernel
problems lately (cf. the author of GrSecurity posting six - I believe -
vulnerabilities to Bugtraq when the kernel guys didn't fix them in time;
the kernel maintainers have now created a special patch branch,
2.6.10-as2. Applying the patches in there really isn't optional).

Microsoft has a long-standing history of producing bad security, but
this time round, Linux hasn't performed much better. (Of course, this is
mitigated by the fact that a Linux kernel need not include all
vulnerable parts - for example, I don't need IGMP, 64-bit support or
SMP; solves a lot of bugs...)

Linux' open development model may have allowed for quicker fixes, though
- all my machines were patched within six hours of disclosure. (And this
'patch pack' fixes problems that had been known for quite a while,
though frankly, the patches have been around, albeit individually, for a
while too).

Oh well, let's wait for the OpenBSD supporters...

Joachim
 
Reply With Quote
 
 
 
 
Apollo
Guest
Posts: n/a
 
      02-09-2005

"Joachim Schipper" <(E-Mail Removed)> wrote in message
news:420a1442$0$5207$(E-Mail Removed)...
> Michael J. Pelletier <(E-Mail Removed)> wrote:
>> "Microsoft Corp. released eight security fixes Tuesday that
>> carry its
>> highest threat rating and urged computer users to install them
>> quickly
>> because all the vulnerabilities they address could let
>> attackers take
>> complete control of systems."
>>
>> http://story.news.yahoo.com/news?tmp...osoft_security

>
> As much as I support Linux, though, there have been quite a few
> kernel
> problems lately (cf. the author of GrSecurity posting six - I
> believe -
> vulnerabilities to Bugtraq when the kernel guys didn't fix them
> in time;
> the kernel maintainers have now created a special patch branch,
> 2.6.10-as2. Applying the patches in there really isn't
> optional).
>
> Microsoft has a long-standing history of producing bad security,
> but
> this time round, Linux hasn't performed much better. (Of course,
> this is
> mitigated by the fact that a Linux kernel need not include all
> vulnerable parts - for example, I don't need IGMP, 64-bit
> support or
> SMP; solves a lot of bugs...)
>
> Linux' open development model may have allowed for quicker
> fixes, though
> - all my machines were patched within six hours of disclosure.
> (And this
> 'patch pack' fixes problems that had been known for quite a
> while,
> though frankly, the patches have been around, albeit
> individually, for a
> while too).
>


IIRC the linux kernel has around 1000 documented bugs, by
comparison Bill's kernel has an estimated 1.4 million bugs. I
administer both windows and gentoo linux boxes, I've had windows
updates that have virtually brought a system to it's knees -
repair installation required.

Updates to the gentoo boxes have never caused any serious problems
and as you say security fixes are usually much more timely with
open source software.

--
Ian


 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      02-09-2005
On Wed, 09 Feb 2005 16:42:34 +0000, Apollo wrote:
> IIRC the linux kernel has around 1000 documented bugs, by comparison
> Bill's kernel has an estimated 1.4 million bugs.


How many lines of code in each - your stats mean nothing without knowing
the number of lines of code in each.

> I administer both
> windows and gentoo linux boxes, I've had windows updates that have
> virtually brought a system to it's knees - repair installation required.


I run hundreds of Windows workstations and servers, only 1 time has a
service pack trashed an installation (since the NT3.51 days).

I'm also running Fedora Core 3 and a kernel update trashed by install of
FC3 causing me to reinstall from scratch.

> Updates to the gentoo boxes have never caused any serious problems and
> as you say security fixes are usually much more timely with open source
> software.


Updates take about the same amount of time in both worlds, some are easy
to code others take longer. Neither side is perfect, it's knowing where
the holes are, how to eliminate exposure, and how to secure the box that
matters.


--
http://www.velocityreviews.com/forums/(E-Mail Removed)
remove 999 in order to email me

 
Reply With Quote
 
winged
Guest
Posts: n/a
 
      02-10-2005
Leythos wrote:
> On Wed, 09 Feb 2005 16:42:34 +0000, Apollo wrote:
>
>>IIRC the linux kernel has around 1000 documented bugs, by comparison
>>Bill's kernel has an estimated 1.4 million bugs.

>
>
> How many lines of code in each - your stats mean nothing without knowing
> the number of lines of code in each.
>
>
>> I administer both
>>windows and gentoo linux boxes, I've had windows updates that have
>>virtually brought a system to it's knees - repair installation required.

>
>
> I run hundreds of Windows workstations and servers, only 1 time has a
> service pack trashed an installation (since the NT3.51 days).
>
> I'm also running Fedora Core 3 and a kernel update trashed by install of
> FC3 causing me to reinstall from scratch.
>
>
>>Updates to the gentoo boxes have never caused any serious problems and
>>as you say security fixes are usually much more timely with open source
>>software.

>
>
> Updates take about the same amount of time in both worlds, some are easy
> to code others take longer. Neither side is perfect, it's knowing where
> the holes are, how to eliminate exposure, and how to secure the box that
> matters.
>
>

Leythos,

I couldn't agree more with that last paragraph! The key is:

1. What meets the requirement best?
2. How you can fulfill your users desires without breeching the security
and policies of your network.

We have many OS flavors. If one can keep only authorized folks, doing
authorized things, in an authorized way, the OS is irrelevant. One can
easily centrally control most systems these days. We tend to run more
fedora than gentoo but the majority of our users use Windows because
that is what they know.

Winged
 
Reply With Quote
 
Michael J. Pelletier
Guest
Posts: n/a
 
      02-10-2005
Joachim Schipper wrote:

> Michael J. Pelletier <(E-Mail Removed)> wrote:
>> "Microsoft Corp. released eight security fixes Tuesday that carry its
>> highest threat rating and urged computer users to install them quickly
>> because all the vulnerabilities they address could let attackers take
>> complete control of systems."
>>
>>

http://story.news.yahoo.com/news?tmp...osoft_security
>
> As much as I support Linux, though, there have been quite a few kernel
> problems lately (cf. the author of GrSecurity posting six - I believe -
> vulnerabilities to Bugtraq when the kernel guys didn't fix them in time;
> the kernel maintainers have now created a special patch branch,
> 2.6.10-as2. Applying the patches in there really isn't optional).
>
> Microsoft has a long-standing history of producing bad security, but
> this time round, Linux hasn't performed much better. (Of course, this is
> mitigated by the fact that a Linux kernel need not include all
> vulnerable parts - for example, I don't need IGMP, 64-bit support or
> SMP; solves a lot of bugs...)
>
> Linux' open development model may have allowed for quicker fixes, though
> - all my machines were patched within six hours of disclosure. (And this
> 'patch pack' fixes problems that had been known for quite a while,
> though frankly, the patches have been around, albeit individually, for a
> while too).
>
> Oh well, let's wait for the OpenBSD supporters...
>
> Joachim


Actually I am a FreeBSD dude...
 
Reply With Quote
 
Michael J. Pelletier
Guest
Posts: n/a
 
      02-10-2005
Leythos wrote:

> On Wed, 09 Feb 2005 16:42:34 +0000, Apollo wrote:
>> IIRC the linux kernel has around 1000 documented bugs, by comparison
>> Bill's kernel has an estimated 1.4 million bugs.

>
> How many lines of code in each - your stats mean nothing without knowing
> the number of lines of code in each.
>
>> I administer both
>> windows and gentoo linux boxes, I've had windows updates that have
>> virtually brought a system to it's knees - repair installation required.

>
> I run hundreds of Windows workstations and servers, only 1 time has a
> service pack trashed an installation (since the NT3.51 days).
>
> I'm also running Fedora Core 3 and a kernel update trashed by install of
> FC3 causing me to reinstall from scratch.
>
>> Updates to the gentoo boxes have never caused any serious problems and
>> as you say security fixes are usually much more timely with open source
>> software.

>
> Updates take about the same amount of time in both worlds, some are easy
> to code others take longer. Neither side is perfect, it's knowing where
> the holes are, how to eliminate exposure, and how to secure the box that
> matters.
>



Oh come one now! I do computer security for a living. MS is absolutely
horrible in the amount of time it takes from discovery to fix. Linux/BSD
has an average of 3 days. MS has an average of 30 to 60. that is 10 times
longer ...let's be honest here.


As far a patches on MS not blowing up a system. How long have you been
installing patches? It has happened to everyone! XP SP2 anyone???????????

Michael

 
Reply With Quote
 
Michael J. Pelletier
Guest
Posts: n/a
 
      02-10-2005
winged wrote:

> Leythos wrote:
>> On Wed, 09 Feb 2005 16:42:34 +0000, Apollo wrote:
>>
>>>IIRC the linux kernel has around 1000 documented bugs, by comparison
>>>Bill's kernel has an estimated 1.4 million bugs.

>>
>>
>> How many lines of code in each - your stats mean nothing without knowing
>> the number of lines of code in each.
>>
>>
>>> I administer both
>>>windows and gentoo linux boxes, I've had windows updates that have
>>>virtually brought a system to it's knees - repair installation required.

>>
>>
>> I run hundreds of Windows workstations and servers, only 1 time has a
>> service pack trashed an installation (since the NT3.51 days).
>>
>> I'm also running Fedora Core 3 and a kernel update trashed by install of
>> FC3 causing me to reinstall from scratch.
>>
>>
>>>Updates to the gentoo boxes have never caused any serious problems and
>>>as you say security fixes are usually much more timely with open source
>>>software.

>>
>>
>> Updates take about the same amount of time in both worlds, some are easy
>> to code others take longer. Neither side is perfect, it's knowing where
>> the holes are, how to eliminate exposure, and how to secure the box that
>> matters.
>>
>>

> Leythos,
>
> I couldn't agree more with that last paragraph! The key is:
>
> 1. What meets the requirement best?
> 2. How you can fulfill your users desires without breeching the security
> and policies of your network.
>
> We have many OS flavors. If one can keep only authorized folks, doing
> authorized things, in an authorized way, the OS is irrelevant. One can
> easily centrally control most systems these days. We tend to run more
> fedora than gentoo but the majority of our users use Windows because
> that is what they know.


Sure, but times are a-changing. Get used to it....

---------------------------------------------------------------------------
Open Source: Millions of opened minds couldn't be wrong.
---------------------------------------------------------------------------

Michael
 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      02-10-2005
On Wed, 09 Feb 2005 22:45:18 -0800, Michael J. Pelletier wrote:
> As far a patches on MS not blowing up a system. How long have you been
> installing patches? It has happened to everyone! XP SP2 anyone???????????


Sure, lets be honest - We've installed SP2 on more than 1000 systems since
it came out and have found 2 systems that were problematic - one required
a BIOS update, one didn't require, but was easier to just wipe/reinstall.
Sounds like a good track record to me.

--
(E-Mail Removed)
remove 999 in order to email me

 
Reply With Quote
 
Joachim Schipper
Guest
Posts: n/a
 
      02-10-2005
Michael J. Pelletier <(E-Mail Removed)> wrote:
> Joachim Schipper wrote:


>> As much as I support Linux, though, there have been quite a few kernel
>> problems lately (cf. the author of GrSecurity posting six - I believe -
>> vulnerabilities to Bugtraq when the kernel guys didn't fix them in time;
>> the kernel maintainers have now created a special patch branch,
>> 2.6.10-as2. Applying the patches in there really isn't optional).
>>
>> Microsoft has a long-standing history of producing bad security, but
>> this time round, Linux hasn't performed much better. (Of course, this is
>> mitigated by the fact that a Linux kernel need not include all
>> vulnerable parts - for example, I don't need IGMP, 64-bit support or
>> SMP; solves a lot of bugs...)
>>
>> Linux' open development model may have allowed for quicker fixes, though
>> - all my machines were patched within six hours of disclosure. (And this
>> 'patch pack' fixes problems that had been known for quite a while,
>> though frankly, the patches have been around, albeit individually, for a
>> while too).
>>
>> Oh well, let's wait for the OpenBSD supporters...
>>
>> Joachim

>
> Actually I am a FreeBSD dude...


You didn't try to tell anyone to switch to OpenBSD, either...

Seriously though, OpenBSD looks great but I'm staying with GNU for now.
I like their idealism. (That, and I feel Linux can be very secure if
properly hardened - why aren't GrSecurity, loop-AES and PaX in mainline?
All have been around for a long time; loop-AES might be a little
intrusive, completely replacing the loop drivers, but GrSecurity/PaX
applies very cleanly and can easily be disabled, if so desired.)

For the record: I administer about six Windows boxes - depending on what
counts as 'administering' - and two Linux machines. The latter are
LFS-based, run a couple of services, and have undergone some hardening.
The former I keep in working condition to allow others to work on them.
I plan to install at least four more machines, all running Linux, but I
keep putting it off for lack of time. Most of these machines are either
the property of family members or my students' association - my own
machine runs Linux, and Linux only.

Joachim
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dpreview's reviews "Highly Recommended" is highly questionable RichA Digital Photography 32 08-18-2009 09:45 AM
Microsoft MS08-067 KB958644 Security: Critical Patch/Update Released! 1PW Computer Support 0 10-24-2008 08:13 AM
Using template in safety-critical system (flight critical system) aeromarine C++ 15 02-18-2008 09:09 AM
New Critical Patch Issued - KB870669 Marc Liron MVP Computer Support 5 07-03-2004 09:01 AM



Advertisments