I think all you will find this discussion amusing: ( http://www.m5computersecurity.com/pipermail/sdw2003/Week-of-Mon-20050207/thread.html ) ----- Original Message ----- From: "Michael J McCafferty" <[EMAIL PROTECTED]> To: "San Diego Windows 2003 User Group" <[EMAIL PROTECTED]> Subject: RE: [sdw2003] Woah ! non-IE browser vulnerability Date: Wed, 09 Feb 2005 09:33:02 -0800
> > Dutch, > Actually, I have seen times when I will go to patch a > RedHat Enterprise system when I need to download scores of patched > software packages (maybe 50 or more) because they were all built > using other vulnerable software. Such as zlib (compression) or > openssl (encryption). I am sure it's the same with other distros, > but I don't use many other distros very often, so I don't know > first hand. I don't actually think that the number of packages > downloaded for patches is a good way to measure security issues. As > the example above might be a very small unexploitable bug fix that > could create errata for tons of software. Bug fix does not equal > security problem. > Also, the Distributions come with an INSANE pile of > software. RedHat Enterprise Linux for example come with at least > one complete office suite, a web server, two database servers, two > Windowing systems, several shells, clustering software, DNS server > software, 2 mail servers, webmail software, scheduling software, > several compilers, several interpreted languages (like Perl), SAMBA > (which allows it to do Windows file and print services, and be a > domain controller), 4 web browsers, and much more. All of it > supported for your subscription fee. All them included in your > vulnerability counts. There is a lot of software in this list that > MS doesn't even make an equivalent to. > No matter what, it's never gonna be apples to apples > between MS and *nix vendors. I happen to think that MS is doing > pretty darn good job. It's very difficult to manage large software > projects, like OSes, office suits, and the like, without countless > bugs and vulnerabilities. Large ships change course very slowly. As > for debating which is better... well, it's been done over and over, > and no one has ever "won" the argument. No facts and figures will > back up either "side's" claims inarguably. While there's little > doubt in my mind that Windows is a better desktop for the average > joe in a workgroup (my opinion), and there is little doubt in my > own mind that *nixes are better for Enterprise application servers > (my opinion), there is some space in the middle where they compete > (MS SQL server is a very good Transactional DB, and a technical > power user can do some pretty cool stuff with a *nix workstation. I > am a Linux sysadmin / Security Engineer, and I still have windows > on my laptop. I can't use Visio on Linux and I have had problems > with compatibility with the open source office suits in the past > (but I hear they are much better now). I use VMWare to get my Linux > platform when I need it. The other Engineers in my group have opted > to go with Macs for their laptops because they can do BSD (another > Unix like OS) things and still use IE, and Office (still no Visio > though). > > Shouldn't we include Mac OS X in this argument ? > > > At 09:09 PM 2/8/2005 -0800, you wrote: > > > The real race begins once Microsoft releases the security patches. That is > > when people reverse-engineer the code and post exploit code. > > > > If you look at those Firefox bugs I posted, several are months old. Seems > > like someone sat on them for XXX days after RTM of the software. > > Unfortunately, there are many many issues that run for *months* in the Linux > > world. I have been down this path many times and understand it is a > > "perception" problem. > > > > Here is some timeframe data from June 1 2002 - May 21, 2003 from Public data > > sources. The most important factor are your " All Days of Risk" (The time > > between vulnerability is disclosed and fix is available). Another > > interesting statistic in the Linux world is "Distribution days of Risk". > > This is the time lag between the when security fix is released by the > > maintainer of the flawed component until it is issued by the platform > > maintainer (Debian, Red Hat, SUSE, MandrakeSoft). > > > > Microsoft averages 25 days between disclosure and release of a fix or All > > Days of Risk. Red Hat tied with Debian with 57 days for all days of risk. > > > > All days of Risk > > Microsoft = 25 > > Red Hat = 57 > > Debian = 57 > > MandrakeSoft = 82 > > SUSE = 74 > > > > Distribution days of Risk > > Microsoft - 25 (used the all days of risk number) > > Red Hat = 47 > > Debian = 32 > > MandrakeSoft = 56 > > SUSE = 54 > > > > Microsoft fixed all 128 reported flaws during that time frame. > > Red Hat fixed 228 of their 229 reported flaws. > > Debian fixed 275 of their 286 reported flaws. > > MandrakeSoft fixed 197 of their 199 reported flaws. > > SUSE fixed 172 of their 176 reported flaws. > > > > I also know this is a rough month for patching but the record (last I > > checked) goes to Debian - Jun03, 35 single errata! > > > > _______________________________________________ > > sdw2003 mailing list > > [EMAIL PROTECTED] > > http://lists.mattware.com/mailman/listinfo/sdw2003 > > _______________________________________________ > sdw2003 mailing list > [EMAIL PROTECTED] > http://lists.mattware.com/mailman/listinfo/sdw2003 -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
