LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security Innovation's Microsoft/Linux web server security study

Security Innovation's Microsoft/Linux web server security study

Posted Mar 23, 2005 18:33 UTC (Wed) by tzafrir (subscriber, #11501)
In reply to: Security Innovation's Microsoft/Linux web server security study by chohman
Parent article: Security Innovation's Microsoft/Linux web server security study

One simple data point to support that:

When they have classified the volnurabilities by sevirity, there were no IIS volnurabilities in the categories "low" and "not rated".

Assuming that the programmers of MS can make "small" mistakes, and not just horrible ones, this clearly indicates that many more volnurabilities in the IIS code go unpatched.

In fact, RedHat can't easily sit on a fix to a security issue too long, because it will be fixed by its competitors sooner, and its clients would start asking annoying questions.

MS's clients have only one source for fixes and about zero independent sources with the full ability to assess volnurabilities.

BTW: didn't they start lately to hold off fixes for 30 days?

(Log in to post comments)

Security Innovation's Microsoft/Linux web server security study

Posted Mar 23, 2005 18:51 UTC (Wed) by dlapine (subscriber, #7358) [Link]

RH or the kernel developers? Not sure about RH, but the kernel folks said that a delay measured in days, not weeks or months might be acceptable to hold off on announcing new bugs, in order to allow time to patch. I believe that they specifically said 7 days was a good limit.

Security Innovation's Microsoft/Linux web server security study

Posted Mar 24, 2005 12:30 UTC (Thu) by zotz (guest, #26117) [Link]

"When they have classified the volnurabilities by sevirity, there were no IIS volnurabilities in the categories "low" and "not rated".

Assuming that the programmers of MS can make "small" mistakes, and not just horrible ones, this clearly indicates that many more volnurabilities in the IIS code go unpatched."

Either that, or even the smallest mistakes on the MS platform lead to big vulnerabilities...

all the best,

drew

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds