lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1081962296.2323.5.camel@dhollis-lnx.kpmg.com>
From: dhollis at davehollis.com (David T Hollis)
Subject: The new Microsoft math:  1 patch for 14
	vulnerabilities, MS04-011

On Wed, 2004-04-14 at 08:40 -0700, Edward W. Ray wrote:

> I would not mind the bunching, except that many of the vulnerabilities were
> discovered more than 4-6 months ago.  The other Oses release patches much
> more quickly.  What if someone other than Eeye with an axe to grind
> discovered these flaws before Microsoft decided to patch them? 
> 
> -----Original Message-----
> 
> >  
> > I use Linux, OpenBSD and Windows in my enterprise.  Linux and OpenBSD 
> > use the "1 patch for 1 vulnerability" rule.  Seems to me that MS is 
> > bunching their patches together in order to make it seem on the 
> > surface that Windows has less patches than other Oses, therefore it is 
> > more secure.  CIOs, take note.
> 
> It happens from time to time (today...) that several bugs get fixed with one
> update package on SUSE Linux (and other Linuxes). But: One update package
> fixes one package, whereas one patch can consist of several update packages
> (in our patch management framework).
> 
I really doubt that the bundling of patches is meant to make numbers
seem better, though I can see some of the think-tanks trying to compare
things that way.  The bundling is A) easier for everyone and more
importantly B) probably required for some of the patches.  Realize that
a Windows Patch is not like a Linux Kernel Patch.  It's isn't a bit of
text that represents changes to source code that then get compiled.  A
MS patch is a new set of DLLs, or EXEs that contain the fixes for
whatever vulnerability/flaw.  If a bunch of vulnerabilities require mods
to NTDLL.DLL, you really only need to distribute the one NTDLL.DLL that
has all of the fixes.  Sending out 4 patches with modded NTDLL.DLLs when
the only one that will stick is the last one (hopefully all patches are
included in this one, of course), just send the dang thing out as one
patch.  

-- 
David T Hollis <dhollis@...ehollis.com>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ