Patch-Fatigued Users Contemplate Ditching Microsoft

InternetWeek ^ | September 15, 2003 | John Foley, George V. Hulme

[AgentOfTruth]

There you go again.

True, some of those "applications" are not part of the Kernel but they are part of Linux.

The same logic applies to Windows and the 72 patch number. You can break out those 72 patch into what is the OS and what are "applications" that just happen to be packaged with the OS. Remember that Windows also includes a number of "applications" with the OS. It comes with a DNS Server, DHCP, WINS, Web Server (IIS), Directory Services (AD), ASP, Kerberos.... and on and on. Start adding on the security patches numbers for applications for the Linux Kernel like PHP and the security swiss cheese Apache and the numbers for Linux get VERY ugly.

[lawdude]

"Yep, if Microsoft were to disappear tomorrow all the virus writers would retire."

Yep, and the economy would take a shit! Business runs quite well on MS. Could be better but they are way ahead of who ever is in second place!

Why don't you be the first to ditch your MS machine and all you can control.

[N3WBI3]

He does that allot, said there was no CDE for linux than when I presented one he said ti was crap (could not back it up) then left..

[scott7278]

"For the year, the tally stands at 39."

I was just going by what the article said. It doesn't seem like I'm dowloading more than that a month, but I could be. I've never had twelve at a time, though. Let me check...

For all available updates, I'm showing seven installed updates for September, five from August, seven from July, two from June, three from May, ten from April, three from March, eight from February, and four from January = 5.4 per month.

For Critical, Security, and Recommended Updates, I'm showing two for September, four for August, six for July, two for June, three for May, seven for April, three for March, eight for February, and one for January = 4 per month.

[N3WBI3]

Lets just not count lets look at what we are counting:

Redhat itself comes with hundreds of third party applications one fo the errors was for "Hangul Terminal is a terminal emulator for the X Window System, based on Xterm." unlike the windows updates of which by inspection looks to be about 75% OS related, linux updates to the kernel or core servers (Apcahe/MySql/Sendmail) are far less frequent.

Is Linux perfect, no but a server which does not have literally hundreds of apps installed requires far less patching than windows, and most of those do not require a reboot..

[Bush2000]

I see that your legendary poor reading comprehension is biting you in the ass once again. You apparently missed that Linux systems are typically rooted because of poor system administration, not underlying software vulnerabilities.

You pulled that out of your ass. No sale. Produce proof -- or STFU. You've spread FUD here so much that your word is worth zip.

[justlurking]

True, some of those "applications" are not part of the Kernel but they are part of Linux.

They are included in most Linux distributions. They aren't Linux, or even part of Linux, at least in terms of who is "responsible". They are maintained by separate teams of developers, and blaming "Linux" would be like blaming Microsoft for a bug in Photoshop.

One could contend that some of them are necessary for Linux to be "useful" and equivalent to Windows. Therefore, it might be fair to include them in an overall comparison to Microsoft.

However, there are also a number of applications that have no direct equivalent on a Windows desktop, and typically don't exist except in enterprise server configurations. Unless your Microsoft patch count includes those types of applications or server software, it wouldn't be a fair comparison.

Start adding on the security patches numbers for applications for the Linux Kernel like PHP and the security swiss cheese Apache and the numbers for Linux get VERY ugly.

Check your list again. They were already included.

[Bush2000]

They are included in most Linux distributions. They aren't Linux, or even part of Linux, at least in terms of who is "responsible". They are maintained by separate teams of developers, and blaming "Linux" would be like blaming Microsoft for a bug in Photoshop.

Of course, that doesn't stop your side from lumping vulnerabilities in IE or Outlook or IIS into Windows. You want your cake and eat it, too -- decrying "Windows" vulnerabilities and simultaneously claiming that any vulnerability that isn't in the Linux kernel isn't Linux. Pathetic weasels.

[Bush2000]

Takes far less time and planning that patching a windows server..

My advice would be to put down the crackpipe...

[tortoise]

A security patch is a security patch. I didn't classify them, Red Hat and Microsoft did.

Yes, but how many of these are actual server security patches the normal server admins actually need to use? We use exposed Linux servers all over the Internet running fiber backbones in a number of capacities (over my objections, actually) and I believe they have had exactly one security bulletin over the last year and a half that actually required them to patch something (one of the daemons, in that case). Our admins are pretty sharp and our security is tight, but the only box ever rooted on our network was a Win2k box that we let someone host there for free. We run a ton of completely exposed Linux servers, and we see every vulnerability that pops up and aggressively watch that stuff, but we've needed to patch something exactly once in 18 months. And I know why that list doesn't compute; most of the "security patches" on that list are things that concern desktop users, not any of the server applications we are likely to use. I certainly know that the couple Windows servers we have (which are not exposed) have been patched multiple times in the same period, and these boxes are not even routable from the Internet.

As for Apple, they are running a FreeBSD kernel (very secure), but who knows what vulnerabilities they've added on top of it. I'll say that the jury is out on the security merits of MacOS X, though it should be pretty good in theory.

[Coral Snake]

I would like to point out to you and the rest of my former ping buddies that INITIALIZED profanity can be subject to the Abuse button to.

Quiet you!

[justlurking]

Of course, that doesn't stop your side from lumping vulnerabilities in IE or Outlook or IIS into Windows.

Microsoft themselves claimed (in court) that IE was an integral and unseparable part of Windows

Personally, I wouldn't claim that IIS is part of Windows, even though it was on the Windows distribution disk(s). It took a separate, overt action on the part of the user to install it.

However, the problem with comparing a Windows-only application from Microsoft to an open source application that happens to run on Linux is that Linux is usually only one of the supported platforms.

In only a quick scan, I can identify several of them that also run on Windows: Mozilla, Ethereal, PHP, Apache, VNC, Lynx, Netscape, MySQL, and Ghostscript all have Windows source and binary distributions, although I don't know if they were exploitable. If you want to attribute them as Linux security problems, then they are potential Windows security problems as well -- even though they are not Microsoft products.

[MarkL]

Oh good grief..... It is just not that big of a deal to stay up with patches.... Would rather have them real time than not have them.....

Cry me a river! No pity from me PE!

It's not that big a deal when you've only got a few computers that you have to deal with... But I've got clients with lots of users, scattered all over the country, many of which don't have direct Internet access, though they still have access to email, and it's damned near impossible to patch a Windows system that doesn't have Internet access. In other cases, we've got some schools who are clients, and they simply don't have the man power to run around to over 2000 systems to apply patches, or run Windows Update (can't apply patches without having local administrator access, and there's no way that the student are getting that sort of local access). Even if you can get all of their patches in downloadable form, then you have to take the time to be sure that they're rolled out, something that can take over an hour to do properly.

If you're dealing with a large system, it gets very time consuming and very expensive, very quickly!

Mark

[Bush2000]

We use exposed Linux servers all over the Internet running fiber backbones in a number of capacities (over my objections, actually) and I believe they have had exactly one security bulletin over the last year and a half that actually required them to patch something

Great, kids. The moral of the story is if you turn off EVERYTHING, you don't have to patch your box. What a benefit .../SARCASM

[Bush2000]

I would like to point out to you and the rest of my former ping buddies that INITIALIZED profanity can be subject to the Abuse button to.

Your mere presence is profane.

[Coral Snake]

Don't worry too much about Bush2000. He and his buddies always dissapear when the realize that their talking point for the day is a LOSER.
Funny I notice that you have a reptilian screen name just like I do. ;-).

[MarkL]

The first thing that you need to do is get yourself out to Steve Gibson's web site and download a number of files... I don't know if I remember them all, but you will want to get socket-to-me and socket-lock, which puts the kibash on raw socket access, which can leave your system vulnerable, un-plug-n-pray, which disables UPnP (something that the FBI strongly recommends), shoot-the-messenger, which will turn off the messenger service altogether, and Xpedite, which you shouldn't need if you're patches are up to date. Then run a shields up port scan to see how vulnerable you are.

Mark

[Bush2000]

Microsoft themselves claimed (in court) that IE was an integral and unseparable part of Windows

They might have made that claim but the court didn't buy that argument. The court went so far as to order MS to disintegrate them. So try again.

If you want to attribute them as Linux security problems, then they are potential Windows security problems as well -- even though they are not Microsoft products.

Get real. Mozilla and Apache and Netscape aren't distributed on Windows disks. But they are distributed with Linux.

[MarkL]

I have 12 updates (one is critical) in the past week that have went to test. they average far more than four an month..

Actually, on a client system where I installed an OEM copy of WindowsXP, complete with SP1, when I went out to WindowsUpdate two weeks ago, I was informed that there were 28 critical updates... How long has WinXP SP1 been out? BTW, I suspect that the number is now greater.

Mark

[tortoise]

Great, kids. The moral of the story is if you turn off EVERYTHING, you don't have to patch your box.

No, genius. The point is that you turn off what you don't need and configure it so that it is secure as possible. We probably have around ten different network daemons running on them at any given moment on average. Nonetheless, the OS has not needed to be patched and only one of the myriad of daemons that we run had to be patched. These boxes do most everything that a normal Unix server does plus some extra things most Unix servers do not. They have simply been trouble free for the most part and no security vulnerabilities have been published for the various applications we use (excepting the one).