RE: Microsoft and Security

["David F. Skoll" <dfs () roaringpenguin com>]

On Mon, 5 Jul 2004, Alun Jones wrote:

> The immediate patch carries maximum risk, and the perfect patch requires
> unconscionable amounts of time to verify its correctness.  Between those two
> endpoints, however, you'll find a huge variance in what is acceptable risk
> of damage from a patch versus acceptable delay to test.  And unfortunately,
> neither of those two values is a) measurable, or b) the same for each user.

That's true.  However, Microsoft has a much higher record of patches that
break things than most other vendors.  I don't believe that's because
the people who write the patches are less competent, but I do believe it's
because they are patching a horribly-designed system.

Microsoft has bundled together so much stuff and interconnected so many
applications with parts of the operating system that the system is extremely
fragile, and any change is likely to have unforseen side effects.

I can't recall ever installing a Linux vendor patch that has broken anything
on my systems (I'm sure it has happened, just not to me.)  That's because
the various bits of Linux (or UNIX for that matter) are quite isolated:
The windowing system runs as a normal user process; the Web browser is
not "part of" the operating system; and filenames do not have magical
side effects (.exe != chmod a+x), to name a few problems with Windows.

I believe Microsoft is plagued with security problems and its patches
are plagued with breakage problems because Windows is just a mess.

Regards,

David.