Bugtraq mailing list archives
RE: Microsoft and Security
From: "David F. Skoll" <dfs () roaringpenguin com>
Date: Tue, 6 Jul 2004 15:04:01 -0400 (EDT)
On Mon, 5 Jul 2004, Alun Jones wrote:
The immediate patch carries maximum risk, and the perfect patch requires unconscionable amounts of time to verify its correctness. Between those two endpoints, however, you'll find a huge variance in what is acceptable risk of damage from a patch versus acceptable delay to test. And unfortunately, neither of those two values is a) measurable, or b) the same for each user.
That's true. However, Microsoft has a much higher record of patches that break things than most other vendors. I don't believe that's because the people who write the patches are less competent, but I do believe it's because they are patching a horribly-designed system. Microsoft has bundled together so much stuff and interconnected so many applications with parts of the operating system that the system is extremely fragile, and any change is likely to have unforseen side effects. I can't recall ever installing a Linux vendor patch that has broken anything on my systems (I'm sure it has happened, just not to me.) That's because the various bits of Linux (or UNIX for that matter) are quite isolated: The windowing system runs as a normal user process; the Web browser is not "part of" the operating system; and filenames do not have magical side effects (.exe != chmod a+x), to name a few problems with Windows. I believe Microsoft is plagued with security problems and its patches are plagued with breakage problems because Windows is just a mess. Regards, David.
Current thread:
- RE: Microsoft and Security Alun Jones (Jul 05)
- RE: Microsoft and Security Radoslav Dejanovic (Jul 05)
- Re: Microsoft and Security Justin Wheeler (Jul 05)
- RE: Microsoft and Security Alun Jones (Jul 06)
- RE: Microsoft and Security David F. Skoll (Jul 06)
- Re: Microsoft and Security Adam Shostack (Jul 07)
- Re: Microsoft and Security Valdis . Kletnieks (Jul 09)
- Re: Microsoft and Security Charles Otstot (Jul 16)
- Re: Microsoft and Security Lucas Holt (Jul 18)
- RE: Microsoft and Security Alun Jones (Jul 06)