Full Disclosure mailing list archives
Re: Microsoft product vs Microsoft patch
From: "John Dietz" <www.whitewolf () gmail com>
Date: Fri, 25 Aug 2006 08:34:00 -0500
Please correct me if I am wrong but I believe the numbers n3td3v is looking for is how much code size the patches ADD to the system, not the actual size of the patches themselves. Though I tend to agree that it doesn't really prove anything, I have to admit I myself am quite curious about these figures and someone with the time and resources available should have no problem compiling these figures. All you would have to do is take a base install of Windows, say Win. 2K SP0, do a clean install on a freshly formatted HDD, run disk cleanup, or what ever tool is your favorite, to get rid of any stray bloat installer files, and then examine the dist and record disk usage to get your baseline. Then apply all service packs (DO NOT ARCHIVE) and updates to the system to get the system completely up to date and run your disk cleanup utility again and then record the difference in disk usage. You might also want to do the same with Win XP. My suspicion is it probably isn't near as large of a size difference as some might think. If I had the time, I would do this myself, but I would be interested in the data if anyone out there feels like taking on this task. Cheers, John On 8/24/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
On Thu, 24 Aug 2006 20:14:03 BST, n3td3v said: > I believe for their operating system and their web browser Microsoft patches > take up half or all the original size of the Microsoft product. So? What's that actually *prove*? > I don't have the resources to carry out this study on my own, and I know > some folks do have those resources to release such information to the > security community. > > We need this information to be published professionally so its suitable for > media outlet consumption. No, you don't. Part of the problem is that the size of the "patch" is *highly* dependent on the details of the packaging system. If you want to go *that* route, you shouldn't hope to *ever* get Linux accepted. Let's take a look at how Redhat/Fedora package kernel "patches": The original Fedora Core 5 kernel for a single-processor 686: -rw-r--r-- 1 263 263 14070190 Mar 14 23:23 kernel-2.6.15-1.2054_FC5.i686.rpm Updates so far: -rw-r--r-- 1 2220 2220 15433301 Jul 15 00:13 kernel-2.6.17-1.2157_FC5.i686.rpm -rw-r--r-- 1 2220 2220 15442084 Aug 10 14:22 kernel-2.6.17-1.2174_FC5.i686.rpm Oh my *GOD*, the patches are twice the size of the original. And it's even worse over on RHEL 4, where they've shipped: kernel-2.6.9-5.EL kernel-2.6.9-5.0.5.EL kernel-2.6.9-11.EL kernel-2.6.9-34.EL kernel-2.6.9-34.0.2.EL kernel-2.6.9-42.EL Plus others I've possibly missed. Size of patches is 5x the size of the original.
-- There is intelligence is in having all the answers, but wisdom lies in knowing which of the questions to answer. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft product vs Microsoft patch n3td3v (Aug 24)
- Re: Microsoft product vs Microsoft patch Valdis . Kletnieks (Aug 24)
- Re: Microsoft product vs Microsoft patch John Dietz (Aug 25)
- Re: Microsoft product vs Microsoft patch Valdis . Kletnieks (Aug 25)
- Re: Microsoft product vs Microsoft patch n3td3v (Aug 25)
- Re: Microsoft product vs Microsoft patch John Dietz (Aug 25)
- <Possible follow-ups>
- Re: Microsoft product vs Microsoft patch Ajay Pal Singh Atwal (Aug 24)
- Re: Microsoft product vs Microsoft patch Tonnerre Lombard (Aug 24)
- Re: Microsoft product vs Microsoft patch Mike M (Aug 25)
- Re: Microsoft product vs Microsoft patch Valdis . Kletnieks (Aug 24)