| Patch this! Musings on Microsoft's Windows patching |
Jan. 11, 2006
What color is the sky in Microsoft's world? Green?
In a recent eWEEK story by Peter Galli, Bill Hilf, who is director of Microsoft's Platform Technology Strategy and heads its Linux and open-source lab claims that "patching, particularly for security, is not a 'Microsoft problem,' but something that affects all operating system and platform vendors."
Fair enough. Everyone has security problems, everyone has patches. But claiming, as Hilf does, that Microsoft's patching is somehow better than that of the major Linux distributions is complete nonsense.
As Mark Cox, security response team leader at Red Hat, points out in the story, simply measuring the number of patches is meaningless.
"Although we shipped 168 security advisories for RHEL4 in the year, only 17 of the underlying vulnerabilities were of critical severity [using the same scales as Microsoft for vulnerability severity]," said Cox in an eWEEK interview.
Of those 17 critical vulnerabilities, Red Hat made fixes for every one of them available to customers via the Red Hat Network within two days of the vulnerabilities being known to the public, with 87 percent of them being available the first day.
I might add, I can't think of a single Red Hat, or any other Linux distribution, security hole in the last year or so that actually meant anything in the real world.
Now, let's consider Microsoft's recent record, shall we?
On December 28th, an "extremely critical flaw" in WMF (Windows Metafile Format) was found the hard way. Crackers were already exploited it on fully patched systems.
By New Year's Eve, several, but not all, anti-virus companies had come up with ways to detect malware using the WMF hole. Microsoft did not have a patch. Microsoft did not have a work-around.
How serious was the WMF hole? As eWEEK security columnist, Larry Seltzer pointed out, some respected people out there think this is one of the all-time bad ones.
Seltzer himself called WMF a "Windows Major Foul-Up" and said that "the problem with the WMF file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences."
But to get back to the patch story, by January 3, reverse-engineering guru Ilfak Guilfanov had created his own emergency patch for the problem. It was so good that the SANS ISC (Internet Storm Center) and anti-virus vendor F-Secure Corp. gave it their blessings.
Microsoft recommended that people not use it. Even as dozens of different malware programs were using the flaw to pry open people's computers, Microsoft recommended that users wait until January 10th.
On January 5th, Microsoft finally smelled the smoke and issued an emergency patch. It didn't work on Windows 98, Windows ME, and pre-SP4 versions of Windows 2000, but for XP and 2003 users it was out there.
Before that happened, however, a beta version of the patch escaped from Microsoft. The MSRC (Microsoft Security Response Center) urged users to "disregard" the premature update.
Yes, life is certainly easier for Windows users with Microsoft patch system, isn't it.
"The two-week turnaround was one of the fastest in the company's history, and reflects the seriousness of the WMF flaw," boasted Debby Fry Wilson, a director at MSRC in an interview. Seltzer also congratulated them for their speed.
Seltzer also pointed out that the respected security company eEye has reported five other serious vulnerabilities to Microsoft from May 5th 2005 to October 17th. How many have been fixed? Uh... none.
Let me see now, Red Hat has repaired all of its serious reported bugs within two days. Microsoft is proud that, in an emergency situation, they only took a week or so, to get one patch out.
Oh, and as of January 9th, two new ways have been found to exploit the patched WMF.
Yes, there's no question about it. When it comes to comparing Windows and Linux patching, there's a clear winner, and it's not Microsoft.
--Steven J. Vaughan-Nichols
Do you have comments on this story?
Talkback here
NOTE: Please post your comments regarding our articles using the above link. Be sure to use this article's title as the "Subject" in your posts. Before you create a new thread, please check to see if a discussion thread is already running on the article you plan to comment on. Thanks!
(Click here for further information)
|
|
|
7 Advantages of D2D Backup
For decades, tape has been the backup medium of choice. But, now, disk-to-disk (D2D) backup is gaining in favor. Learn why you should make the move in this whitepaper.
4 Legal Reasons to Control Internet Access
The Internet is obviously a valuable resource for many organizations. However, many are exposed to legal liability concerns because they fail to control Internet access. Learn if you're safe in this white paper.
Rapidly Resolve J2EE Application Problems
Whether you are in the process of building J2EE applications or have J2EE applications already running in production, you must ensure that they deliver the expected ROI. Learn how in this white paper.
Load Testing 2.0 for Web 2.0
There are many unknowns in stress testing Web 2.0 applications. Find out how to test the performance of Web 2.0 in this white paper.
Build Better Games Online
For the game infrastructure providers, life is complex. Making money from games has become more complicated. Why? Find out in this white paper.
Building a Virtual Infrastructure from Servers to Storage
This white paper discusses the virtual storage solutions that reduce cost, increase storage utilization, and address the challenges of backing up and restoring Server environments.
Gaining Faster Wireless Connections with WiMAX
Welcome to what is quickly becoming the hyperconnected world where anything that would benefit from being connected to the network will be connected. Learn more in this white paper.
Is Your Desktop a Security Threat?
The new wave of sophisticated crimeware not only targets specific companies, but also targets desktops and laptops as backdoor entryways into those business’ operations and resources. Learn how to stay safe in this white paper.
Increasing SAN Reliability by 100 Percent
Storage area networks (SAN) are a strong part of storage plans. Learn how to increase your reliability and uptime by 100 percent in this case study.
|
|
|
|
|
news feed