Full Disclosure mailing list archives

Re: Microsoft product vs Microsoft patch


From: "John Dietz" <www.whitewolf () gmail com>
Date: Fri, 25 Aug 2006 08:34:00 -0500

Please correct me if I am wrong but I believe the numbers n3td3v is
looking for is how much code size the patches ADD to the system, not
the actual size of the patches themselves.  Though I tend to agree
that it doesn't really prove anything, I have to admit I myself am
quite curious about these figures and someone with the time and
resources available should have no problem compiling these figures.
All you would have to do is take a base install of Windows, say Win.
2K SP0, do a clean install on a freshly formatted HDD, run disk
cleanup, or what ever tool is your favorite, to get rid of any stray
bloat installer files, and then examine the dist and record disk usage
to get your baseline.  Then apply all service packs (DO NOT ARCHIVE)
and updates to the system to get the system completely up to date and
run your disk cleanup utility again and then record the difference in
disk usage.  You might also want to do the same with Win XP.  My
suspicion is it probably isn't near as large of a size difference as
some might think.  If I had the time, I would do this myself, but I
would be interested in the data if anyone out there feels like taking
on this task.

Cheers,

John

On 8/24/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
On Thu, 24 Aug 2006 20:14:03 BST, n3td3v said:

> I believe for their operating system and their web browser Microsoft patches
> take up half or all the original size of the Microsoft product.

So? What's that actually *prove*?

> I don't have the resources to carry out this study on my own, and I know
> some folks do have those resources to release such information to the
> security community.
>
> We need this information to be published professionally so its suitable for
> media outlet consumption.

No, you don't.

Part of the problem is that the size of the "patch" is *highly* dependent
on the details of the packaging system.  If you want to go *that* route,
you shouldn't hope to *ever* get Linux accepted.  Let's take a look at how
Redhat/Fedora package kernel "patches":

The original Fedora Core 5 kernel for a single-processor 686:

-rw-r--r--    1 263      263     14070190   Mar 14 23:23   kernel-2.6.15-1.2054_FC5.i686.rpm

Updates so far:

-rw-r--r--    1 2220     2220     15433301 Jul 15 00:13 kernel-2.6.17-1.2157_FC5.i686.rpm
-rw-r--r--    1 2220     2220     15442084 Aug 10 14:22 kernel-2.6.17-1.2174_FC5.i686.rpm

Oh my *GOD*, the patches are twice the size of the original.  And it's even worse
over on RHEL 4, where they've shipped:

kernel-2.6.9-5.EL
kernel-2.6.9-5.0.5.EL
kernel-2.6.9-11.EL
kernel-2.6.9-34.EL
kernel-2.6.9-34.0.2.EL
kernel-2.6.9-42.EL

Plus others I've possibly missed.  Size of patches is 5x the size of the
original.


--
There is intelligence is in having all the answers, but wisdom lies in
knowing which of the questions to answer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Current thread: