LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security Innovation's Microsoft/Linux web server security study

Security Innovation's Microsoft/Linux web server security study

Posted Mar 23, 2005 17:40 UTC (Wed) by chohman (guest, #5519)
Parent article: Security Innovation's Microsoft/Linux web server security study

So, they were illustrating how patches can take time to propagate; however, when you look at the bug, you can see why Red Hat didn't particularly rush - the bug is not exploitable under Linux, since glibc prevents the potential overflow. One could admire the irony if the Windows implementation of gethostbyname would allow the exploit, couldn't one - this would make a Windows platform running MySQL vulnerable while Linux wasn't, not quite the point they wanted.

And of course, failure to fix a bug in MySQL is definitely an operating system security issue, too.

Gotta love PHB market-speak - "go-forward basis" indeed!
But I am glad to hear that Microsoft has such a wonderful management system for bugs in the 3rd-party code they ship...

(Log in to post comments)

Security Innovation's Microsoft/Linux web server security study

Posted Mar 23, 2005 18:33 UTC (Wed) by tzafrir (subscriber, #11501) [Link]

One simple data point to support that:

When they have classified the volnurabilities by sevirity, there were no IIS volnurabilities in the categories "low" and "not rated".

Assuming that the programmers of MS can make "small" mistakes, and not just horrible ones, this clearly indicates that many more volnurabilities in the IIS code go unpatched.

In fact, RedHat can't easily sit on a fix to a security issue too long, because it will be fixed by its competitors sooner, and its clients would start asking annoying questions.

MS's clients have only one source for fixes and about zero independent sources with the full ability to assess volnurabilities.

BTW: didn't they start lately to hold off fixes for 30 days?

Security Innovation's Microsoft/Linux web server security study

Posted Mar 23, 2005 18:51 UTC (Wed) by dlapine (subscriber, #7358) [Link]

RH or the kernel developers? Not sure about RH, but the kernel folks said that a delay measured in days, not weeks or months might be acceptable to hold off on announcing new bugs, in order to allow time to patch. I believe that they specifically said 7 days was a good limit.

Security Innovation's Microsoft/Linux web server security study

Posted Mar 24, 2005 12:30 UTC (Thu) by zotz (guest, #26117) [Link]

"When they have classified the volnurabilities by sevirity, there were no IIS volnurabilities in the categories "low" and "not rated".

Assuming that the programmers of MS can make "small" mistakes, and not just horrible ones, this clearly indicates that many more volnurabilities in the IIS code go unpatched."

Either that, or even the smallest mistakes on the MS platform lead to big vulnerabilities...

all the best,

drew

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds