On Wed, 2004-04-14 at 08:40 -0700, Edward W. Ray wrote: > I would not mind the bunching, except that many of the vulnerabilities were > discovered more than 4-6 months ago. The other Oses release patches much > more quickly. What if someone other than Eeye with an axe to grind > discovered these flaws before Microsoft decided to patch them? > > -----Original Message----- > > > > > I use Linux, OpenBSD and Windows in my enterprise. Linux and OpenBSD > > use the "1 patch for 1 vulnerability" rule. Seems to me that MS is > > bunching their patches together in order to make it seem on the > > surface that Windows has less patches than other Oses, therefore it is > > more secure. CIOs, take note. > > It happens from time to time (today...) that several bugs get fixed with one > update package on SUSE Linux (and other Linuxes). But: One update package > fixes one package, whereas one patch can consist of several update packages > (in our patch management framework). > I really doubt that the bundling of patches is meant to make numbers seem better, though I can see some of the think-tanks trying to compare things that way. The bundling is A) easier for everyone and more importantly B) probably required for some of the patches. Realize that a Windows Patch is not like a Linux Kernel Patch. It's isn't a bit of text that represents changes to source code that then get compiled. A MS patch is a new set of DLLs, or EXEs that contain the fixes for whatever vulnerability/flaw. If a bunch of vulnerabilities require mods to NTDLL.DLL, you really only need to distribute the one NTDLL.DLL that has all of the fixes. Sending out 4 patches with modded NTDLL.DLLs when the only one that will stick is the last one (hopefully all patches are included in this one, of course), just send the dang thing out as one patch.
-- David T Hollis <[EMAIL PROTECTED]> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
