Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011

From: Tim <tim-security () sentinelchicken org>
Date: Wed, 14 Apr 2004 08:37:44 -0700
I use Linux, OpenBSD and Windows in my enterprise.  Linux and OpenBSD use
the "1 patch for 1 vulnerability" rule.  Seems to me that MS is bunching
their patches together in order to make it seem on the surface that Windows
has less patches than other Oses, therefore it is more secure.  CIOs, take
note. 


Yeah, this is pretty disgusting.  

Seemingly harmless in application, but when you consider features often
creep into patches in M$ software, it makes it extremely difficult to
test a single mega-patch like this on a few thousand systems with
different configurations and custom software installations.  I can tell
you first hand, that dealing with them in bunches severely slows the
patch release process in enterprise environments.

And I don't buy "its easier if it is all together".  If your patch
management system doesn't suck, any number of seperate patches can be
applied just as easily as a subset of them.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: