Patch-Fatigued Users Contemplate Ditching Microsoft

InternetWeek ^ | September 15, 2003 | John Foley, George V. Hulme

[MarkL]

Get real. Mozilla and Apache and Netscape aren't distributed on Windows disks. But they are distributed with Linux.

But AOL is... So if there's a problem with AOL software, you blame Microsoft for it?

Mark

[tortoise]

Mozilla and Apache and Netscape aren't distributed on Windows disks. But they are distributed with Linux.

As a technical nit, they frequently aren't distributed with Linux unless you are using a version intended for desktop usage. Server distros tend to be very sparse. We use a Debian variant, which I despise, but then I don't have to admin the things so I let them do what they want as long as it isn't inherently stupid. There is virtually zero software on the server, just enough to bootstrap the box; the rest we build later from checksummed tarballs.

[Coral Snake]

Just like Liberal Classic and justlurking do it seems that I now have to start handing out lessons in what should be the SIMPLE Free Republic posting policy.

NO Profanity, NO Personal Attacks!!!

Quiet you!

However if you REALLY want to turn my simple return to Linux into some Vince McMahon, Stone Cold Steve Austin no holds barred match then be advised that due to a particular piece of "schooling" I have received from the Linux people here I have recently added a new SECRET INGREDIENT to my venom.

[justlurking]

They might have made that claim but the court didn't buy that argument. The court went so far as to order MS to disintegrate them. So try again.

Microsoft, arguing that the Internet Explorer code is completely integrated with Windows, has said the only way it can comply with Jackson's 1 December order is to offer a version of the operating system that does not function.

Even though the court disagreed, who am I to argue with Microsoft?

Get real. Mozilla and Apache and Netscape aren't distributed on Windows disks. But they are distributed with Linux.

Actually, Netscape was distributed with Windows by several OEM's for a while. The OEM's are the closest analog to companies like RedHat that package the Linux kernel with other open software products into a single distribution. Under your rationale, since Netscape is "part of Linux", it was "part of Windows", too.

But, if the packager is the responsible party, IIS was packaged with Windows, as well: at least in the Windows 2000 distribution (I haven't looked for it on the WinXP distribution). I've already said that I didn't consider IIS an integral part of Windows, but by your definition it would be.

[Poser]

Bingo. Virus writers attack Microsoft because it is common. If Linux or anything else gains a decent size market share, the virus writers will attack it.

Question to Linux users: What will you do when a few hundred virus writers attack Linux? This is an honest question. I have no doubt that Linux can be hacked. Who will patch your systems and who will write the patches? How long will it take to get a working patch written?

Linux and Mac users have been protected by the fact that Microsoft is successful.

I'm not a Windows lover, but my Windows XP notifies me and installs a patch, usually before the virus or worm tries to infect my machine. Any time an attack has been attempted, my firewall has caught it and the attack was unsuccessful.

I'm trying to imagine a better system. Having been an applications programmer in the early 1980s, I know that there is no software that is perfect and cannot be hacked. Open source would seem to make it easier. If I have the code, I can more easily find the holes and exploit them.

Please enlighten me.

[Bush2000]

Even though the court disagreed, who am I to argue with Microsoft?

Believe whatever you want. The court has the final say. I'll choose reality.

Actually, Netscape was distributed with Windows by several OEM's for a while.

Nice try -- but Netscape isn't licensed by Microsoft. It's an add-on that's solely supported by OEMs.

[Porterville]

Competition??? But Whom???? I don't like Lynux and I don't like Macintosh... so what is better??? Will somebody please build a better mousetrap already???

[Bush2000]

The point is that you turn off what you don't need and configure it so that it is secure as possible.

I can do the same thing with IE and IIS and Outlook and whatever. I can also use the built-in IP filtering to enable/disable any ports that I want. And doing so obviates the need to patch the damned box. Geezus, you geniuses would think this is impossible ...

[justlurking]

Question to Linux users: What will you do when a few hundred virus writers attack Linux? This is an honest question.

And the honest answer is that the currently available email clients for Linux don't have a large number of exploitable security holes like Outlook and Outlook Express. A good part of the reason is because the Linux clients don't have the "features" in Outlook (Express) that enable this kind of attack.

I have no doubt that Linux can be hacked.

Neither do I. But, it will not be an email attack, unless an insecure email client like Outlook becomes widely used on Linux. Don't get me wrong: they aren't bulletproof, but the diversity of clients makes any one of them less attractive as a target.

A more likely attack on a Linux system is on a server daemon running on Linux. Those same server daemons are typically running on many different Unix versions and sometimes even Windows. However, a particular exploit is probably not going to work on Sun Solaris, at least without modification.

Who will patch your systems and who will write the patches?

The community developing and maintaining the vulnerable product. They typically step up to the plate very quickly.

How long will it take to get a working patch written?

Usually, a couple of days. I've found that the biggest delay is getting the patch system of the distributor (like RedHat) updated. However, the distribution I use is typically updated within 24 hours after a security patch is available.

[Bush2000]

The OEM's are the closest analog to companies like RedHat that package the Linux kernel with other open software products into a single distribution.

BS. RedHat doesn't sell hardware.

[Poser]

"Linux had 75 security patches
ALL Microsoft had 72 security patches "

Interesting.

Does this mean those suggesting Linux as the answer to security problems (and pretty much everything else) are misleading me?

Does Linux automatically find and download security patches like Windows?

I keep listening to Linux people bad-mouthing Microsoft and I am considering converting one of my computers to Linux. I am under the impression that installation of the operating system will be simple and intuitive. I have been told that I can easily install a shell to run the Windows based programs that I must have (Dreamweaver MX Pro Studio, Paint Shop Pro, Corel Draw, Adobe Photoshop, Access). I have been told that the free applications are just as good as Word, Excell and Access. I need good FTP and Terminal packages. Will Linux run my PC games? Will it support my DVD drives and fire-wire and USB devices? Will it support my printers and recognize my wireless routers?

Should I be spending my time learning Linux and its associated software or is it going to be a royal pain in the ass?

What is the real truth?

[Bush2000]

And the honest answer is that the currently available email clients for Linux don't have a large number of exploitable security holes like Outlook and Outlook Express.

Fine. They'll exploit buffer overflows and other security weaknesses. You're not seriously going to argue that none of these products are vulnerable to BOs, are you?!?

[Bush2000]

But, it will not be an email attack, unless an insecure email client like Outlook becomes widely used on Linux. Don't get me wrong: they aren't bulletproof, but the diversity of clients makes any one of them less attractive as a target. A more likely attack on a Linux system is on a server daemon running on Linux. Those same server daemons are typically running on many different Unix versions and sometimes even Windows. However, a particular exploit is probably not going to work on Sun Solaris, at least without modification.

Self-deluding nonsense. You have no concept of the threat matrix facing these applications.

[justlurking]

Believe whatever you want. The court has the final say. I'll choose reality.

If Microsoft says that IE is part of Windows, they are taking responsibility for it, regardless of what you believe.

Nice try -- but Netscape isn't licensed by Microsoft. It's an add-on that's solely supported by OEMs.

The applications distributed with Linux by RedHat, etc. aren't licensed by Linux, either. They are add-ons that are solely supported by their respective development communities.

[justlurking]

BS. RedHat doesn't sell hardware.

No, they don't. But, the OEMs are bundling hardware and software with Windows.

RedHat is only bundling software with the Linux kernel. But, if that makes all the software "Linux", then the OEM's bundling of software and hardware makes it all "Windows".

I'm simply applying your own assertions to the equivalent situation in the Windows environment. If you don't like the result, then maybe you should reconsider your assertions.

[Bush2000]

If Microsoft says that IE is part of Windows, they are taking responsibility for it, regardless of what you believe.

What part about "the court ruled against Microsoft" do you not understand?

The applications distributed with Linux by RedHat, etc. aren't licensed by Linux, either. They are add-ons that are solely supported by their respective development communities.

I don't have a problem with the suggestion that apps distributed with Linux aren't Linux. But by the same token, the Linux attack-bots had better abide by the same standard with IE and Outlook and IIS and etc.

[justlurking]

Fine. They'll exploit buffer overflows and other security weaknesses. You're not seriously going to argue that none of these products are vulnerable to BOs, are you?!?

Some of them undoubtedly are vulnerable to buffer overruns. But, that's a much more limited set of vulnerabilities than the Active Scripting holes in Outlook and Outlook Express.

[LibWhacker]

I'm trying to imagine a better system.

I don't think there is one. I'd sure hate to be in charge of developing an OS and a huge suite of apps to go with it (what's that, millions of lines of code?) that had to be virus proof, hack proof, bug proof, etc. I don't think it can be done. In fact, give me almost any program, and I'll bet I can do something to make it act weird.

Microsoft irritates the heck out of me sometimes, but we have to be fair about this. Yes, it could do better, but the lion's share of the blame for viruses must be laid at the feet of the virus writers themselves.

[Bush2000]

Some of them undoubtedly are vulnerable to buffer overruns. But, that's a much more limited set of vulnerabilities than the Active Scripting holes in Outlook and Outlook Express.

Look, if I thought you were going to pull something out of your ass, I wouldn't have asked the question. You simply can't assert that. You have no proof.

[TechJunkYard]

I can also use the built-in IP filtering to enable/disable any ports that I want. And doing so obviates the need to patch the damned box. Geezus, you geniuses would think this is impossible ...

That might save you from the RPC worm, for example, but doesn't protect you from the recently reported IE vulns.

Firewalls can't do it all when the design is flawed.