It is hilarious to read that MS is giving early access to patches to security vendors. Hmm. Let me understand this. There is a flaw. It can be exploited, but, hey, they want to sit around and chat about it. I seriously wonder how much of this is pure hype than of any value. I wonder when FOSS OSes will follow this model?
Hi Harish,
Security is certainly a big concern for Microsoft, and we have made significant improvements in this space, especially with released products such as Windows Server 2008 through our continual improvement and integration of our Secure Development Lifecycle (http://msdn.microsoft.com/en-us/security/cc448177.aspx).
To your point about us not being fast enough to release patches to our users, I would encourage you and your readers to refer to a report released by Symantec, published earlier this year. It reported that Microsoft was actually the fastest OS vendor in the industry to release patches to customers, patches were released within 6 days in Jul – Dec 2007. Anyway, you can read more details at the following article published by Ars Technica at http://arstechnica.com/news.ars/post/20080410-report-microsoft-fastest-to-issue-os-patches-sun-slowest.html.
Regardless of the time taken, this is a good thing as we make sure that the research and patch work we do we share with other security vendors, to ensure that customers that have heterogeneous environments and mixed security solutions are protected from vulnerabilities.
Thanks,
Matthew Hardman
Convenient
It is convenient to show a report stating MS is the fastest but the comparison with other OS vendors like Red Hat isn’t a straightforward comparison at all. In particular, the distributed nature of the large number of components that make up RHEL means there is more than one source discovering and publishing security issues not waiting on vendor ack. If you want a good comparison, you need to post raw data and status reports such as
http://www.redhat.com/security/data/metrics/
http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/
Thanks for your comment. When you cite an article which sensationalizes some report, it is important
to read the report – if it is available as well. Remember that these articles’ sole purpose is to
get eyeballs and will spin anything they want on a slow news day which probably April 10, 2008 was.
Here’s a quote from the article that shows how much it is sensationalizing where there is no valid
reason to:
“These two pie charts clearly demonstrate just how insecure Java really is—the number of Java-based
vulnerabilities rose 250 percent from July-December as compared to January-June.”
The article’s author is drawing invalid conclusions. The reference is comparing a 2% to 5% change
in Java vuls while ActiveX went from 89% to 79% – and by that the author is able conclude and state
that Java is insecure? His subsequent observation that activeX is really poor does not salvage his
credibility.
With all that you still want to cite that article? I suggest not.
Now let’s look at the actual Symantec report. I am picking up some portions.
I have always thought that companies like Symantec, McAfee, Trend all exist at the pleasure of
the incompetence of the MS operating systems. But that is another topic.
Let’s look at two interesting observations the report makes. The first, from page 25, says:
Apple and Sun were the vendors most challenged by the task of maintaining a large body of
third-party applications that ship with their operating systems. This is in contrast to
Red Hat, which has demonstrated consistently lower average patch development times than
these vendors despite having a larger number of third-party vulnerabilities to patch.
Red Hat’s RHEL ships with almost 2,000 separate apps on the CDs. Contrast that with MS.
Everything on a ms CD is created by MS. And yet, they cannot get it right. Red Hat, on
the other hand, has driven the FOSS community to adopt PIE, SELinux and NX which
provides across the board protection and not only dependent on the (in)competency of the
application. The fact that there is none of these capabilities in any MS operating system,
despite the availablity of the code in Linux, is shocking to say the least. NIH syndrome
in MS perhaps? Not in the FOSS world though!
And a second from page 26:
In addition to security enhancements in Microsoft’s later operating
system releases, many of the third-party applications that are attacked
in the wild are running on Microsoft Windows, as discussed later in
the “Browser plug-in vulnerabilities” section. This is due to the fact
that security enhancements in Microsoft Windows provide less protection
for third-party applications than they do for Microsoft applications.
Enterprises must thus depend more on after-market security products to
mitigate vulnerabilities in third-party applications. Conversely, other
operating systems have developed security measures that are intended to
prevent attacks against the operating system and its third-party applications.
If you choose to read the actual report, it concludes that windows continues
to be have holes that will be the envy of any cheese (well not in so few
words nor with the same analogy).
And, btw, I made no comment about MS not being fast to submit patches, but
was observing that they want to *wait* and have a *show and tell* for a
private audience before making it available. You reading that I meant that
there is a speed issue belies your organization’s confusion with doing what
is right. Speed is NOT the issue. It is about getting things done and in
a timely manner.
small typo: is Theora, with an “a”.