mailing list archives
Operating Systems Security, "Microsoft Security, baby steps"
From: Todd Burroughs <todd () hostopia com>
Date: Thu, 18 Mar 2004 03:17:21 -0500 (EST)
Here's a good example. Yesterday, a problem was resolved with OpenSSL.
This package is used in a *lot* of software (yes, including *BSD ;-).
SuSE had patches out the fastest, within hours of the official release.
Over the course of the day, I saw most/all of the major open source OS
vendors (Linux and BSD) announce patches to this problem.
I know that other major software companies use OpenSSL in their products;
the "free/open source" software community responds very quickly, much
faster than any commercial vendor (I noticed that Cisco released
a patch). This is proof, same day fix vs. fix in a few months.
Updating any OS is a pain in the ass, but all of them have flaws and
need to be updated. I find that at least with the UNIX-like ones,
you can go on the Net and do your updates faster than you get rooted.
MS really needs to fix this, they need to make it so that mom and pop
can install and do updates without getting taken over.
Kudos to SuSE, keep up the good work! We're getting nervous with the
Novell thing, but keep security first. One thing, we need a basic
install, no X, just a base install that is secure.
One thing to note, I've updated a lot of SuSE based servers and had no
problem, but would rather wait a bit than have problems if the vendor
didn't have the resources to test things first and the problem is
supposed to be limited to a DOS (as oppposed to remote root).
Full-Disclosure - We believe in it.
- Operating Systems Security, "Microsoft Security, baby steps" Todd Burroughs (Mar 18)