It's MS Patch time again (8 Highly Critical Patches, Linux anyone?)

Discussion in 'Computer Security' started by Michael J. Pelletier, Feb 9, 2005.

  1. Michael J. Pelletier, Feb 9, 2005
    #1
    1. Advertising

  2. Michael J. Pelletier <> wrote:
    > "Microsoft Corp. released eight security fixes Tuesday that carry its
    > highest threat rating and urged computer users to install them quickly
    > because all the vulnerabilities they address could let attackers take
    > complete control of systems."
    >
    > http://story.news.yahoo.com/news?tm...u=/ap/20050209/ap_on_hi_te/microsoft_security


    As much as I support Linux, though, there have been quite a few kernel
    problems lately (cf. the author of GrSecurity posting six - I believe -
    vulnerabilities to Bugtraq when the kernel guys didn't fix them in time;
    the kernel maintainers have now created a special patch branch,
    2.6.10-as2. Applying the patches in there really isn't optional).

    Microsoft has a long-standing history of producing bad security, but
    this time round, Linux hasn't performed much better. (Of course, this is
    mitigated by the fact that a Linux kernel need not include all
    vulnerable parts - for example, I don't need IGMP, 64-bit support or
    SMP; solves a lot of bugs...)

    Linux' open development model may have allowed for quicker fixes, though
    - all my machines were patched within six hours of disclosure. (And this
    'patch pack' fixes problems that had been known for quite a while,
    though frankly, the patches have been around, albeit individually, for a
    while too).

    Oh well, let's wait for the OpenBSD supporters...

    Joachim
    Joachim Schipper, Feb 9, 2005
    #2
    1. Advertising

  3. Michael J. Pelletier

    Apollo Guest

    "Joachim Schipper" <> wrote in message
    news:420a1442$0$5207$...
    > Michael J. Pelletier <> wrote:
    >> "Microsoft Corp. released eight security fixes Tuesday that
    >> carry its
    >> highest threat rating and urged computer users to install them
    >> quickly
    >> because all the vulnerabilities they address could let
    >> attackers take
    >> complete control of systems."
    >>
    >> http://story.news.yahoo.com/news?tm...u=/ap/20050209/ap_on_hi_te/microsoft_security

    >
    > As much as I support Linux, though, there have been quite a few
    > kernel
    > problems lately (cf. the author of GrSecurity posting six - I
    > believe -
    > vulnerabilities to Bugtraq when the kernel guys didn't fix them
    > in time;
    > the kernel maintainers have now created a special patch branch,
    > 2.6.10-as2. Applying the patches in there really isn't
    > optional).
    >
    > Microsoft has a long-standing history of producing bad security,
    > but
    > this time round, Linux hasn't performed much better. (Of course,
    > this is
    > mitigated by the fact that a Linux kernel need not include all
    > vulnerable parts - for example, I don't need IGMP, 64-bit
    > support or
    > SMP; solves a lot of bugs...)
    >
    > Linux' open development model may have allowed for quicker
    > fixes, though
    > - all my machines were patched within six hours of disclosure.
    > (And this
    > 'patch pack' fixes problems that had been known for quite a
    > while,
    > though frankly, the patches have been around, albeit
    > individually, for a
    > while too).
    >


    IIRC the linux kernel has around 1000 documented bugs, by
    comparison Bill's kernel has an estimated 1.4 million bugs. I
    administer both windows and gentoo linux boxes, I've had windows
    updates that have virtually brought a system to it's knees -
    repair installation required.

    Updates to the gentoo boxes have never caused any serious problems
    and as you say security fixes are usually much more timely with
    open source software.

    --
    Ian
    Apollo, Feb 9, 2005
    #3
  4. Michael J. Pelletier

    Leythos Guest

    On Wed, 09 Feb 2005 16:42:34 +0000, Apollo wrote:
    > IIRC the linux kernel has around 1000 documented bugs, by comparison
    > Bill's kernel has an estimated 1.4 million bugs.


    How many lines of code in each - your stats mean nothing without knowing
    the number of lines of code in each.

    > I administer both
    > windows and gentoo linux boxes, I've had windows updates that have
    > virtually brought a system to it's knees - repair installation required.


    I run hundreds of Windows workstations and servers, only 1 time has a
    service pack trashed an installation (since the NT3.51 days).

    I'm also running Fedora Core 3 and a kernel update trashed by install of
    FC3 causing me to reinstall from scratch.

    > Updates to the gentoo boxes have never caused any serious problems and
    > as you say security fixes are usually much more timely with open source
    > software.


    Updates take about the same amount of time in both worlds, some are easy
    to code others take longer. Neither side is perfect, it's knowing where
    the holes are, how to eliminate exposure, and how to secure the box that
    matters.


    --

    remove 999 in order to email me
    Leythos, Feb 9, 2005
    #4
  5. Michael J. Pelletier

    winged Guest

    Leythos wrote:
    > On Wed, 09 Feb 2005 16:42:34 +0000, Apollo wrote:
    >
    >>IIRC the linux kernel has around 1000 documented bugs, by comparison
    >>Bill's kernel has an estimated 1.4 million bugs.

    >
    >
    > How many lines of code in each - your stats mean nothing without knowing
    > the number of lines of code in each.
    >
    >
    >> I administer both
    >>windows and gentoo linux boxes, I've had windows updates that have
    >>virtually brought a system to it's knees - repair installation required.

    >
    >
    > I run hundreds of Windows workstations and servers, only 1 time has a
    > service pack trashed an installation (since the NT3.51 days).
    >
    > I'm also running Fedora Core 3 and a kernel update trashed by install of
    > FC3 causing me to reinstall from scratch.
    >
    >
    >>Updates to the gentoo boxes have never caused any serious problems and
    >>as you say security fixes are usually much more timely with open source
    >>software.

    >
    >
    > Updates take about the same amount of time in both worlds, some are easy
    > to code others take longer. Neither side is perfect, it's knowing where
    > the holes are, how to eliminate exposure, and how to secure the box that
    > matters.
    >
    >

    Leythos,

    I couldn't agree more with that last paragraph! The key is:

    1. What meets the requirement best?
    2. How you can fulfill your users desires without breeching the security
    and policies of your network.

    We have many OS flavors. If one can keep only authorized folks, doing
    authorized things, in an authorized way, the OS is irrelevant. One can
    easily centrally control most systems these days. We tend to run more
    fedora than gentoo but the majority of our users use Windows because
    that is what they know.

    Winged
    winged, Feb 10, 2005
    #5
  6. Joachim Schipper wrote:

    > Michael J. Pelletier <> wrote:
    >> "Microsoft Corp. released eight security fixes Tuesday that carry its
    >> highest threat rating and urged computer users to install them quickly
    >> because all the vulnerabilities they address could let attackers take
    >> complete control of systems."
    >>
    >>

    http://story.news.yahoo.com/news?tm...u=/ap/20050209/ap_on_hi_te/microsoft_security
    >
    > As much as I support Linux, though, there have been quite a few kernel
    > problems lately (cf. the author of GrSecurity posting six - I believe -
    > vulnerabilities to Bugtraq when the kernel guys didn't fix them in time;
    > the kernel maintainers have now created a special patch branch,
    > 2.6.10-as2. Applying the patches in there really isn't optional).
    >
    > Microsoft has a long-standing history of producing bad security, but
    > this time round, Linux hasn't performed much better. (Of course, this is
    > mitigated by the fact that a Linux kernel need not include all
    > vulnerable parts - for example, I don't need IGMP, 64-bit support or
    > SMP; solves a lot of bugs...)
    >
    > Linux' open development model may have allowed for quicker fixes, though
    > - all my machines were patched within six hours of disclosure. (And this
    > 'patch pack' fixes problems that had been known for quite a while,
    > though frankly, the patches have been around, albeit individually, for a
    > while too).
    >
    > Oh well, let's wait for the OpenBSD supporters...
    >
    > Joachim


    Actually I am a FreeBSD dude...
    Michael J. Pelletier, Feb 10, 2005
    #6
  7. Leythos wrote:

    > On Wed, 09 Feb 2005 16:42:34 +0000, Apollo wrote:
    >> IIRC the linux kernel has around 1000 documented bugs, by comparison
    >> Bill's kernel has an estimated 1.4 million bugs.

    >
    > How many lines of code in each - your stats mean nothing without knowing
    > the number of lines of code in each.
    >
    >> I administer both
    >> windows and gentoo linux boxes, I've had windows updates that have
    >> virtually brought a system to it's knees - repair installation required.

    >
    > I run hundreds of Windows workstations and servers, only 1 time has a
    > service pack trashed an installation (since the NT3.51 days).
    >
    > I'm also running Fedora Core 3 and a kernel update trashed by install of
    > FC3 causing me to reinstall from scratch.
    >
    >> Updates to the gentoo boxes have never caused any serious problems and
    >> as you say security fixes are usually much more timely with open source
    >> software.

    >
    > Updates take about the same amount of time in both worlds, some are easy
    > to code others take longer. Neither side is perfect, it's knowing where
    > the holes are, how to eliminate exposure, and how to secure the box that
    > matters.
    >



    Oh come one now! I do computer security for a living. MS is absolutely
    horrible in the amount of time it takes from discovery to fix. Linux/BSD
    has an average of 3 days. MS has an average of 30 to 60. that is 10 times
    longer ...let's be honest here.


    As far a patches on MS not blowing up a system. How long have you been
    installing patches? It has happened to everyone! XP SP2 anyone???????????

    Michael
    Michael J. Pelletier, Feb 10, 2005
    #7
  8. winged wrote:

    > Leythos wrote:
    >> On Wed, 09 Feb 2005 16:42:34 +0000, Apollo wrote:
    >>
    >>>IIRC the linux kernel has around 1000 documented bugs, by comparison
    >>>Bill's kernel has an estimated 1.4 million bugs.

    >>
    >>
    >> How many lines of code in each - your stats mean nothing without knowing
    >> the number of lines of code in each.
    >>
    >>
    >>> I administer both
    >>>windows and gentoo linux boxes, I've had windows updates that have
    >>>virtually brought a system to it's knees - repair installation required.

    >>
    >>
    >> I run hundreds of Windows workstations and servers, only 1 time has a
    >> service pack trashed an installation (since the NT3.51 days).
    >>
    >> I'm also running Fedora Core 3 and a kernel update trashed by install of
    >> FC3 causing me to reinstall from scratch.
    >>
    >>
    >>>Updates to the gentoo boxes have never caused any serious problems and
    >>>as you say security fixes are usually much more timely with open source
    >>>software.

    >>
    >>
    >> Updates take about the same amount of time in both worlds, some are easy
    >> to code others take longer. Neither side is perfect, it's knowing where
    >> the holes are, how to eliminate exposure, and how to secure the box that
    >> matters.
    >>
    >>

    > Leythos,
    >
    > I couldn't agree more with that last paragraph! The key is:
    >
    > 1. What meets the requirement best?
    > 2. How you can fulfill your users desires without breeching the security
    > and policies of your network.
    >
    > We have many OS flavors. If one can keep only authorized folks, doing
    > authorized things, in an authorized way, the OS is irrelevant. One can
    > easily centrally control most systems these days. We tend to run more
    > fedora than gentoo but the majority of our users use Windows because
    > that is what they know.


    Sure, but times are a-changing. Get used to it....

    ---------------------------------------------------------------------------
    Open Source: Millions of opened minds couldn't be wrong.
    ---------------------------------------------------------------------------

    Michael
    Michael J. Pelletier, Feb 10, 2005
    #8
  9. Michael J. Pelletier

    Leythos Guest

    On Wed, 09 Feb 2005 22:45:18 -0800, Michael J. Pelletier wrote:
    > As far a patches on MS not blowing up a system. How long have you been
    > installing patches? It has happened to everyone! XP SP2 anyone???????????


    Sure, lets be honest - We've installed SP2 on more than 1000 systems since
    it came out and have found 2 systems that were problematic - one required
    a BIOS update, one didn't require, but was easier to just wipe/reinstall.
    Sounds like a good track record to me.

    --

    remove 999 in order to email me
    Leythos, Feb 10, 2005
    #9
  10. Michael J. Pelletier <> wrote:
    > Joachim Schipper wrote:


    >> As much as I support Linux, though, there have been quite a few kernel
    >> problems lately (cf. the author of GrSecurity posting six - I believe -
    >> vulnerabilities to Bugtraq when the kernel guys didn't fix them in time;
    >> the kernel maintainers have now created a special patch branch,
    >> 2.6.10-as2. Applying the patches in there really isn't optional).
    >>
    >> Microsoft has a long-standing history of producing bad security, but
    >> this time round, Linux hasn't performed much better. (Of course, this is
    >> mitigated by the fact that a Linux kernel need not include all
    >> vulnerable parts - for example, I don't need IGMP, 64-bit support or
    >> SMP; solves a lot of bugs...)
    >>
    >> Linux' open development model may have allowed for quicker fixes, though
    >> - all my machines were patched within six hours of disclosure. (And this
    >> 'patch pack' fixes problems that had been known for quite a while,
    >> though frankly, the patches have been around, albeit individually, for a
    >> while too).
    >>
    >> Oh well, let's wait for the OpenBSD supporters...
    >>
    >> Joachim

    >
    > Actually I am a FreeBSD dude...


    You didn't try to tell anyone to switch to OpenBSD, either... ;-)

    Seriously though, OpenBSD looks great but I'm staying with GNU for now.
    I like their idealism. (That, and I feel Linux can be very secure if
    properly hardened - why aren't GrSecurity, loop-AES and PaX in mainline?
    All have been around for a long time; loop-AES might be a little
    intrusive, completely replacing the loop drivers, but GrSecurity/PaX
    applies very cleanly and can easily be disabled, if so desired.)

    For the record: I administer about six Windows boxes - depending on what
    counts as 'administering' - and two Linux machines. The latter are
    LFS-based, run a couple of services, and have undergone some hardening.
    The former I keep in working condition to allow others to work on them.
    I plan to install at least four more machines, all running Linux, but I
    keep putting it off for lack of time. Most of these machines are either
    the property of family members or my students' association - my own
    machine runs Linux, and Linux only.

    Joachim
    Joachim Schipper, Feb 10, 2005
    #10
  11. Joachim Schipper wrote:

    > Michael J. Pelletier <> wrote:
    >> Joachim Schipper wrote:

    >
    >>> As much as I support Linux, though, there have been quite a few kernel
    >>> problems lately (cf. the author of GrSecurity posting six - I believe -
    >>> vulnerabilities to Bugtraq when the kernel guys didn't fix them in time;
    >>> the kernel maintainers have now created a special patch branch,
    >>> 2.6.10-as2. Applying the patches in there really isn't optional).
    >>>
    >>> Microsoft has a long-standing history of producing bad security, but
    >>> this time round, Linux hasn't performed much better. (Of course, this is
    >>> mitigated by the fact that a Linux kernel need not include all
    >>> vulnerable parts - for example, I don't need IGMP, 64-bit support or
    >>> SMP; solves a lot of bugs...)
    >>>
    >>> Linux' open development model may have allowed for quicker fixes, though
    >>> - all my machines were patched within six hours of disclosure. (And this
    >>> 'patch pack' fixes problems that had been known for quite a while,
    >>> though frankly, the patches have been around, albeit individually, for a
    >>> while too).
    >>>
    >>> Oh well, let's wait for the OpenBSD supporters...
    >>>
    >>> Joachim

    >>
    >> Actually I am a FreeBSD dude...

    >
    > You didn't try to tell anyone to switch to OpenBSD, either... ;-)


    Well, OpenBSD is probably the most secure OS now. However, I swear by
    FreeBSD. Nothing matches the stability of FreeBSD.

    > Seriously though, OpenBSD looks great but I'm staying with GNU for now.
    > I like their idealism.


    FreeBSD is GNU. I think OpenBSD is too.

    > (That, and I feel Linux can be very secure if
    > properly hardened - why aren't GrSecurity, loop-AES and PaX in mainline?
    > All have been around for a long time; loop-AES might be a little
    > intrusive, completely replacing the loop drivers, but GrSecurity/PaX
    > applies very cleanly and can easily be disabled, if so desired.)
    >
    > For the record: I administer about six Windows boxes - depending on what
    > counts as 'administering' - and two Linux machines. The latter are
    > LFS-based, run a couple of services, and have undergone some hardening.
    > The former I keep in working condition to allow others to work on them.
    > I plan to install at least four more machines, all running Linux, but I
    > keep putting it off for lack of time. Most of these machines are either
    > the property of family members or my students' association - my own
    > machine runs Linux, and Linux only.



    Yes, I am also bringing many, many more Linux/*BSD servers into my
    corporation. It just makes my job so much easier....

    -- Michael
    Michael J. Pelletier, Feb 11, 2005
    #11
  12. Leythos wrote:

    > On Wed, 09 Feb 2005 22:45:18 -0800, Michael J. Pelletier wrote:
    >> As far a patches on MS not blowing up a system. How long have you been
    >> installing patches? It has happened to everyone! XP SP2 anyone???????????

    >
    > Sure, lets be honest - We've installed SP2 on more than 1000 systems since
    > it came out and have found 2 systems that were problematic - one required
    > a BIOS update, one didn't require, but was easier to just wipe/reinstall.
    > Sounds like a good track record to me.
    >


    Many, many people got burn on SP on XP. Mostly due to spyware. In either
    case they got burned. Pretty bad track record if you ask me.

    GNU is the future --- Get used to it

    -- Michael
    Michael J. Pelletier, Feb 11, 2005
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mcploppy ©

    Microsoft Patches 'Critical' Windows Hole

    Mcploppy ©, Jul 10, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    504
    Jimchip
    Jul 10, 2003
  2. Julie P.

    6 Critical High-Priority Windows Update Patches

    Julie P., Apr 13, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    502
    joevan
    Apr 13, 2005
  3. Gary J. Dikkema

    Patch Tuesday... no notification of patches...

    Gary J. Dikkema, Jul 14, 2005, in forum: Windows 64bit
    Replies:
    5
    Views:
    362
    Gary J. Dikkema
    Jul 15, 2005
  4. Au79
    Replies:
    1
    Views:
    516
    Rectum Burn
    Apr 18, 2007
  5. RichA
    Replies:
    32
    Views:
    1,004
    Chris Malcolm
    Aug 18, 2009
Loading...

Share This Page