Full Disclosure mailing list archives
RE: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011
From: David T Hollis <dhollis () davehollis com>
Date: Wed, 14 Apr 2004 13:04:56 -0400
On Wed, 2004-04-14 at 08:40 -0700, Edward W. Ray wrote:
I would not mind the bunching, except that many of the vulnerabilities were discovered more than 4-6 months ago. The other Oses release patches much more quickly. What if someone other than Eeye with an axe to grind discovered these flaws before Microsoft decided to patch them? -----Original Message-----I use Linux, OpenBSD and Windows in my enterprise. Linux and OpenBSD use the "1 patch for 1 vulnerability" rule. Seems to me that MS is bunching their patches together in order to make it seem on the surface that Windows has less patches than other Oses, therefore it is more secure. CIOs, take note.It happens from time to time (today...) that several bugs get fixed with one update package on SUSE Linux (and other Linuxes). But: One update package fixes one package, whereas one patch can consist of several update packages (in our patch management framework).
I really doubt that the bundling of patches is meant to make numbers seem better, though I can see some of the think-tanks trying to compare things that way. The bundling is A) easier for everyone and more importantly B) probably required for some of the patches. Realize that a Windows Patch is not like a Linux Kernel Patch. It's isn't a bit of text that represents changes to source code that then get compiled. A MS patch is a new set of DLLs, or EXEs that contain the fixes for whatever vulnerability/flaw. If a bunch of vulnerabilities require mods to NTDLL.DLL, you really only need to distribute the one NTDLL.DLL that has all of the fixes. Sending out 4 patches with modded NTDLL.DLLs when the only one that will stick is the last one (hopefully all patches are included in this one, of course), just send the dang thing out as one patch. -- David T Hollis <dhollis () davehollis com> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- DEF CON 12 WarDriving Contest Announced chris (Apr 14)
- The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Edward W. Ray (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Roman Drahtmueller (Apr 14)
- RE: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Edward W. Ray (Apr 14)
- RE: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 David T Hollis (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Roman Drahtmueller (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Seth Alan Woolley (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Exibar (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 John Sage (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Paul Schmehl (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Curt Purdy (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Exibar (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Dave Horsfall (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Rick Updegrove (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Byron Copeland (Apr 14)
- The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 Edward W. Ray (Apr 14)
- Re: The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011 FlowerPower (Apr 15)