Re: RE: Linux (in)security

[John Sage <jsage () finchhaven com>]

I think it's relevant to bring a recent post to the list over here to
this thread, re: the relative security of Windows, versus Linux et al.

Microsoft seemingly can't even make it's own patches work
properly. Again.

To quote:

Subject: RE: [Full-disclosure] Anyone running SUS see the content update today?
From: "Jerry Heidtke" <jheidtke () fmlh edu>
To: "Joshua Levitsky" <jlevitsk () joshie com>,
   <full-disclosure () lists netsys com>
Date: Wed, 22 Oct 2003 22:09:20 -0500

"...There were a variety of "issues" with last weeks patches.

MS03-045 installation failed on some language version of Windows 2000
SP4. Since this patch replaces the entire core of the OS, it often
left the computer in a completely unusable state.

/* snip */

All the original 10/15 OS patches included a new version of update.exe
that contained a critical bug. In an attempt to reduce the number of
reboots, MS tested to see if the user installing the patch had the
debug privilege. This privilege allows system files that are in-use to
be replaced on a running system. Normally only Local System and
Administrators have this right. The intention was that if the user had
the debug right, the files would be replaced and no reboot would be
needed. The check to see if the current user had this right would
sometimes enter an infinite loop, and sometimes system files would be
damaged, putting the computer into an endless reboot cycle..."

/* snip */

ahem...

"A variety of issues..."?

Are you kidding me?

And yet, how often is it found that a Microsoft "patch" causes
problems with the systems it is intended to be helping? Some of the
time? Most of the time?


I simply cannot think of a more clear, distinct, and comprehensive
indictment of Microsoft and its operating systems than the unrelenting
torrent of patches that it issues to fix the defective products that
its monopoly position in the marketplace has allowed it to foist upon
the world.

Sure, the UNIX'es and Linux'es of the world have some problems, but
really now, nothing like Windows.

And a patch, when issued, pretty much works as expected.

But with Microsoft, and Windows?

Lots of luck.

The *really* startling fact is that Microsoft, with all its vast
engineering and financial resources, seems to be incapable of doing
anything about it...



- John
-- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html