[ale] OT Linux Story
Michael D. Hirsch
mhirsch at nubridges.com
Fri Jun 6 14:23:23 EDT 2003
On Friday 06 June 2003 02:17 pm, Dow Hurst wrote:
> That is an important point about what does a critical update truly
> represent. Most of MS bugs are kernel related or so married to the
> kernel that you have a root type compromise. Linux under the Unix model
> of separation of user and kernel doesn't have a comparable rate. In
> fact kernel level bugs in the stable kernel are extremely rare.
I believe you mean "security-critical kernel level bugs". As with all
large software projects, the kernel has lots of bugs. Most are not
security related.
> Applications under Linux do have bugs being fixed all the time and so
> several may be a mild security vulnerability. Any security vulnerablity
> is normally classed by a Linux distribution vendor as a critical update,
> even if the vulnerability is really mild. If you separate your normal
> user login from a trash user login for interacting with a brower then
> you further insulate yourself from vulnerabilities. Reading the CERT
> summaries shows this up clearly in that practically every MS posted
> vulnerability is severe while most Unix and Linux vulnerabilities are
> mild. Dow
Yes. Just counting updates is silly, given the different update schemes.
Most Linux apps get updated if any bug is found that conceivably could be
used to compromise some aspect of security. Consider the SSL timing flaw
that got fixed instantly, even though it was pretty hard to imagine
someone actually using it for evil purposes. Or the number of "tmp file"
fixes, though I don't know if there is a case of anyone ever using that
trick. Especially not some of the more obscure applications.
The MS updates are usually bundled, so one update typically fixes more than
one flaw. Furthermore, they only tell you about the flaws which are known
to really be security holes.
Basically, Open Source programs will come up with more security patches,
even if the code is identical, because with more eyes on the code, more
holes can be found. This is a Good Thing, not a Bad Thing.
Michael
> Thomas Holmquist wrote:
> > heh? linux has 3x critical updates than MS? umm no... THE LINUX APPS
> > MIGHT, BUT NOT _LINUX_. When you patch windows XP, your patching a
> > WINDOWS bug...
> >
> > haswes at mindspring.com wrote:
> >> Forgive me I wasn't following the whole thread. but remember SQL
> >> slammer worm? BofA was hit by that from what I heard. You can't piss
> >> of a CEO and CFO together to many times.
> >>
> >> And I liked this quote.
> >> "My Linux server at home has three times the number of critical
> >> updates than my Windows XP box, which sits right next to it. It's
> >> just a fact that all the guys hacking Microsoft are Linux guys,
> >> that's the game here," Hanks said.
> >>
> >>> From the following link.
> >>
> >> http://security.ziffdavis.com/article2/0,3973,1115539,00.asp
> >> Another ASP page...
> >>
> >> Adrin
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list