Full Disclosure mailing list archives

RE: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011

From: "Edward W. Ray" <support () mmicman com>
Date: Wed, 14 Apr 2004 08:40:21 -0700

I would not mind the bunching, except that many of the vulnerabilities were
discovered more than 4-6 months ago.  The other Oses release patches much
more quickly.  What if someone other than Eeye with an axe to grind
discovered these flaws before Microsoft decided to patch them? 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Roman
Drahtmueller
Sent: Wednesday, April 14, 2004 7:36 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] The new Microsoft math: 1 patch for 14
vulnerabilities, MS04-011

 
I use Linux, OpenBSD and Windows in my enterprise.  Linux and OpenBSD 
use the "1 patch for 1 vulnerability" rule.  Seems to me that MS is 
bunching their patches together in order to make it seem on the 
surface that Windows has less patches than other Oses, therefore it is 
more secure.  CIOs, take note.


It happens from time to time (today...) that several bugs get fixed with one
update package on SUSE Linux (and other Linuxes). But: One update package
fixes one package, whereas one patch can consist of several update packages
(in our patch management framework).

After all, it is a matter of transparency if you can manually, individually
select what update package you want on your system and which not. Probably
even more important: You should also be able to see what _changes_ have been
applied to every single update package. Otherwise, you just can't know what
else has been "fixed"...

Regards,
Roman.
-- 
 -                                                                      -
| Roman Drahtmüller      <draht () suse de> // "You don't need eyes to see, |
  SUSE Linux AG - Security       Phone: //             you need vision!"
| Nürnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |
 -                                                                      -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

DEF CON 12 WarDriving Contest Announced chris (Apr 14)
- The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Edward W. Ray (Apr 14)
  - Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Roman Drahtmueller (Apr 14)
    - RE: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Edward W. Ray (Apr 14)
    - RE: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 David T Hollis (Apr 14)
  - Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Seth Alan Woolley (Apr 14)
  - Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Exibar (Apr 14)
    - Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 John Sage (Apr 14)
    - Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Paul Schmehl (Apr 14)
    - Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Curt Purdy (Apr 14)
    - Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Exibar (Apr 14)
    - Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Dave Horsfall (Apr 14)
    - Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Rick Updegrove (Apr 14)
    - Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Byron Copeland (Apr 14)

(Thread continues...)