Linked by Thom Holwerda on Wed 15th Apr 2009 09:54 UTC
Bugs & Viruses Whenever the Conficker worm comes up here on OSNews (or any other site for that matter) there are always a number of people who point their fingers towards Redmond, stating that it's their fault Conifcker got out. While Microsoft has had some pretty lax responses to security threats in the past, it handled the whole Conficker thing perfectly, releasing a patch even before Conficker existed, and pushing it through Windows Update. In any case, this made me wonder about Linux distributions and security. What if a big security hole pops up in a Linux distribution - who will the Redmond-finger-pointing people hold responsible?
Thread beginning with comment 358654
To read all comments associated with this story, please click here.
Bug fixes
by naranha on Wed 15th Apr 2009 13:11 UTC
naranha
Member since:
2009-02-25

Linux distributions are usually a lot faster with patching than ms as soon as a vulnerability is detected. It's just a matter of hours - max. 1 day - till the fixes pop up in the update manager.

Remember that MS took quite a long time to fix the issue with their RPC-Servers just that there was no worm exploiting this vulnerability at that time.

Reply Score: 1

RE: Bug fixes - Firefox 3.0.8
by jabbotts on Wed 15th Apr 2009 13:35 in reply to "Bug fixes"
jabbotts Member since:
2007-09-06

Bug reports said; "hey, this is broken and exploitable in 3.0.7 and previous versions. We'll have 3.0.8 available for free download on Monday"

How it went down; version 3.0.8 available for download by end of day the Friday before the announced Monday release date.

Even Microsoft's last crisis patch release out of band was two weeks after the bug report was made public and "we're working on it" announcements went out.

Historically, much faster patch times on more collaborative platforms.

Reply Parent Score: 2

bousozoku Member since:
2006-01-23

Bug reports said; "hey, this is broken and exploitable in 3.0.7 and previous versions. We'll have 3.0.8 available for free download on Monday"

How it went down; version 3.0.8 available for download by end of day the Friday before the announced Monday release date.

Even Microsoft's last crisis patch release out of band was two weeks after the bug report was made public and "we're working on it" announcements went out.

Historically, much faster patch times on more collaborative platforms.


In the similar situation, we're still waiting on Apple to fix Safari.

Apple did fix the SSH problem within a reasonable time (for them); however, since the fix was handed to them by open source developers, they took too long to apply it. Perhaps, they customised the code for some reason.

I'd say that those Linux users who are merely users (not hardcore users or developers) will likely update quickly and there wouldn't be a Conficker-style issue hanging over the head of Linux. Those who don't update quickly are likely on a dialup connection and aren't much of a threat anyway.

Reply Parent Score: 2

RE: Bug fixes
by PlatformAgnostic on Wed 15th Apr 2009 17:10 in reply to "Bug fixes"
PlatformAgnostic Member since:
2006-01-02

MS has a bit more involved system for a few reasons. First, there's a functional test pass of the component and all downstream items to ensure nothing is broken.

At the same time, the security response team reviews the code in the area or any similar code for the same bug.

Then there's the creation of appropriate bulletins translated into a number of languages for worldwide distribution.

Lastly, the patch is distributed during the normal patching cycle unless it is being actively exploited. This is done to make the testing job easier for IT admins. Of course this rule is broken if there are active exploits in the wild.

Usually the time to patch is not the most important factor since most of the famous attacks (Nimda, Code Red, Slammer, and now Conficker) were not exploited by the original discoverers. They were instead exploited by people reverse-engineering a long-released patch (9-12 months in the case of Slammer).

Vulnerabilities will always slip through the cracks, though we try to catch most of them during development by fuzzing and review (I've personally prevented a couple of little NT kernel EoPs). In Vista and later OS releases, this particular exploit is less effective due to better containment of the vulnerable code.

Reply Parent Score: 2