lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: tim-security at sentinelchicken.org (Tim)
Subject: The new Microsoft math:  1 patch for 14 vulnerabilities, MS04-011

> I use Linux, OpenBSD and Windows in my enterprise.  Linux and OpenBSD use
> the "1 patch for 1 vulnerability" rule.  Seems to me that MS is bunching
> their patches together in order to make it seem on the surface that Windows
> has less patches than other Oses, therefore it is more secure.  CIOs, take
> note. 

Yeah, this is pretty disgusting.  

Seemingly harmless in application, but when you consider features often
creep into patches in M$ software, it makes it extremely difficult to
test a single mega-patch like this on a few thousand systems with
different configurations and custom software installations.  I can tell
you first hand, that dealing with them in bunches severely slows the
patch release process in enterprise environments.

And I don't buy "its easier if it is all together".  If your patch
management system doesn't suck, any number of seperate patches can be
applied just as easily as a subset of them.

tim


Powered by blists - more mailing lists