Less than two months after launching its Windows Server 2003 operating system, Microsoft has released a security patch to fix a vulnerability that could let malicious sites run damaging code on the server. This might fair as a pretty good score for Microsoft and their massive Trustworthy Computing initiative, as in comparison, Red Hat Linux 9 had almost thirty security patches in two months.Elsewhere, Microsoft CEO Steve Ballmer identified Linux and open-source software as key competitive challenges to the company in a memo sent to all employees Wednesday.
Windows Server 2003 Gets First Patch; Ballmer: Linux is a ‘Challenge’
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Nobody should do this for free. I can’t believe this Adam’s guy doesn’t pay you. I don’t want to make David Adams rich, whoever he is. 😉
>>
Windows is not inherently insecure and neither is Linux.
>>
Are you trying to be politically correct, or do you want us to take this as a statement of fact? Forget about windows, let’s compare apache and IIS. Would you say both have the same level of security by default? Would you say that Oracle and SQL server have the same level of security be default? Would you say: “in terms of security, windows 95 and windows xp are the same, neither is inherently secure”? Sorry, methinks you are just taking the easy way out.
Boring BORING B O R I N G !
If *they* want it so badly, let the g-damn monkeys eat their precious Windows. It’s crap, everyone with a mind knows it.
Why do you all care? F-them. I think it’s funny. So should you. They’ll never understand anyway… they’re just ex-shopping bag clerks that move a mouse around a screen pointing at the pretty colors and clicking. Ooooh, pretty!
How many of these idiots would want to be *brave* (stupid?) enough to be wired to a heart/lung machine controlled by a WinBox. Hmmm… I wonder. Wouldn’t it be cool to find out? C R A S H ! ! !
In fact, we should promote it’s use for critical systems in all hospitals, military and NASA. Thin out the herd ya know?
>”All you anti-Microsofties here”
>Professional.
Boy, you just love giving me a hard time. I’ll bite. I’m a participant here too, so please try not to hold me to a standard you clearly don’t hold yourself to.
>”not being able to hack into a properly configured Windows box if your life depended on it”
>Just a buck huh? lol
“My buck” is a colloquial phrase that means “my share.” That means I don’t think you could hack into a Windows server…at all. Windows is completely secureable, as much as you’d like to convince us otherwise. You just have to know what you’re doing.
>”Patches or not, only unmaintained, unfirewalled, un-virus-protected servers are major targets. ”
>Riight, lets look back to SQL Slammer.
Firewalls protected a large part of the knowledgeable admin’s servers. I never saw SQL Slammer. Apparently, not yours though.
>”It’s only paper MCSE’s and Linux newbies that leave defaults as-is who fuel this battle.”
>… even good administrators into a position where they are not allowed to take a system down to patch….Your closed minded philosophy only compounds the problem.
Well, the first part is true, but if you want to argue it, then patch count DOES count for something. And then most Linux distros lose this argument.
>Windows has been proven to be inherently insecure, which is why Microsoft is working to fix it.
And they’re succeeding, but they’ll never convince the anti-Microsoftees I was addressing in the first place.
Simply writing for OSnews makes me support Microsoft more than I ever would have thought. Know why? Because I see things fairly and too many of our readers hate Microsoft and don’t really know why except that the much of the community has them thinking they’re supposed to.
Why do people here seem to think you can run Windows properly without the level of expertise that an equivalent Unix admin has?
i totally disagree with this article. i just didn’t think the patch comparison was enlightening or important.
but to suspect her of being a paid microsoft mouthpiece?
c’mon!!!!! that’s BS.
She owns a Mac laptop for pete’s sake! She’s brought many pro-linux, pro-mac articles to the table.
She just has low tolerance for jerks and trolls.
Just because it’s one patch, there may have been more than one bug…
I dont agree with the article and if it was true this logic. I am not going back I love my Linux/Apple/Beos and I dont need MS. So for me I am not looking back even though this article reminds me of more M$ marketing ploys. Sorry MS you lost me already to little to late. My heart belongs to Tux
>>Elsewhere, Microsoft CEO Steve Ballmer identified Linux and open-source software as key competitive challenges to the company in a memo sent to all employees Wednesday.
I thought of the quote:
“First they ignore you, then they laugh at you,
then they fight you, then you win.” – Mahatma Gandhi (1869-1948)
I noticed someone else stated this and it kind of clears things up in some aspects for me at least. Sure RedHat comes with the “Kitchen Sink” yet YOU have an option of NOT installing that “Kitchen Sink” it if you want to ! If you are lazy or just plain dumb and install everything including the “Kitchen Sink” and it turns out that you don’t need it and that it has an expliot that leaves you wide open. Well then it is YOUR fault as a admin for being A.) Lazy B.) Ignorant of secuirty issues. Now with Windows do you have a choice when it comes to installing pacakages ? No ! You are usually forced to install everything even if you don’t use it in some cases. Thus if one of those services is prune to an attack that A.) Switches it on and B.) Attacks the service once it is up and running, then you are out of luck and up a creek without a paddle. It would be nice if you could exclude certian things from actually installing in MS OS’s. Yet if LongHorn and it’s deep entrenchment of IE is any indication MS will not be going down that road anytime soon.
P.S. I would also like to note the turning off services is the easy way out of fixing security problems. What good is it to have those services if and when you do need to run them they leave you wide open !? Sure while it was nice that MS shipped it’s new server OS with everything turned off. The problem remains that A.) You are very limited in what you can leave out in the default installation B.) There has not been any real testing of these turned off “services” to see if they have secured them properly and not introduced or missed another big hole when they are turned on and left running for a extended period of time.
>>”All you anti-Microsofties here”
>>Professional.
>Boy, you just love giving me a hard time. I’ll bite. I’m a participant here
>too, so please try not to hold me to a standard you clearly don’t hold yourself
>to.
Hmm, how am I being unprofessional in this thread? I’m not giving you a hard time, I am simply responding to your comment. I appologize if you feel threatened.
>>”not being able to hack into a properly configured Windows box if your life depended on it”
>>Just a buck huh? lol
>”My buck” is a colloquial phrase that means “my share.” That means I don’t
>think you could hack into a Windows server…at all. Windows is completely
>secureable, as much as you’d like to convince us otherwise. You just have to
>know what you’re doing.
Right, and I intended to imply “Is that all you got?”. Hacking Windows is not as difficult a process as you think. Any qualified Windows engineer will know Windows hacking 101.
>>”Patches or not, only unmaintained, unfirewalled, un-virus-protected servers are major targets. ”
>>Riight, lets look back to SQL Slammer.
>Firewalls protected a large part of the knowledgeable admin’s servers. I never
>saw SQL Slammer. Apparently, not yours though.
Do you honestly think I was infested with SQL Slammer because I am not knowledgable? Once on your network, it attacks random IP addresses on your network. Getting SQL Slammer does not in any way mean my servers were not as secure as they could have been. The patch that existed at the time did not work, as a later patch removed it’s fix. My network is very large, don’t assume that I got it because I don’t know how to do my job.
>>”It’s only paper MCSE’s and Linux newbies that leave defaults as-is who fuel this battle.”
>>… even good administrators into a position where they are not allowed to take a system down to patch….Your closed minded philosophy only compounds the problem.
>Well, the first part is true, but if you want to argue it, then patch count
>DOES count for something. And then most Linux distros lose this argument.
Please provide insite into how they lose this argument. Linux distro patches do not incur downtime other than the service being patched, the exception being kernel patches. In many cases it can be patched without stopping the service!. Even if they are released more often than Windows patches they are easier to manage.
>Windows has been proven to be inherently insecure, which is why Microsoft is working to fix it.
>And they’re succeeding, but they’ll never convince the anti-Microsoftees I was
>addressing in the first place.
I thought you said Windows is inherently secure. Is it, or isn’t it?
>Simply writing for OSnews makes me support Microsoft more than I ever would
>have thought. Know why? Because I see things fairly and too many of our readers
>hate Microsoft and don’t really know why except that the much of the community
>has them thinking they’re supposed to.
That’s all well and fine, but what you have to take into consideration is that you aren’t always right. Sometimes OSS is better, other times it’s not. You assume that the majority of your readers are sheep. We aren’t.
>Why do people here seem to think you can run Windows properly without the level
>of expertise that an equivalent Unix admin has?
Hmm, for some reason Microsoft marketing comes to mind.
Indeed. Nobody should have to put up with some of the crap she gets around here. I know that if it were me I would definitely have burned out a long time ago. Keep going Eugenia!
It is so pathetic how you all try and say that ‘these patches don’t count!”
An OS comes with a piece of software, it doesn’t matter if it is 3rd party or not, the software that it came with has a flaw, then the OS is flawed. If it came with the OS, it is part of the OS.
Redhat has many software packages with the OS. You buy it, download it, whatever, with the assumption that the distro was not just thrown together and was tested thoroughly. It is Redhat’s responsibility to provide patches for these 3rd party applications, just as it is Microsoft’s responsibility to get out patches for software that comes with Windows.
Yes, bugs in IIS do count as bugs in Windows (and they are ALWAYS counted as that, by EVERYONE).
From a business standpoint, anyone who disagrees with Eugenia is wrong, plain and simple, and I’ll tell you why.
There’s a phrase – “Nobody ever got fired for buying IBM.” The point of the phrase is tro poke fun of the fact that you can’t be blamed for choosing the big company
If I understand you correctly, I don’t find the mentality of admins (or anybody else) buying a large company scapegoat remotely relevant to the discussion you are referring to.
When Red Hat releases a packaged set, they inherit (and do voluntarily assume) responsibility for all packages they distribute. Case closed.
That is true (which is why Red Hat releases patches for the whole of their product). However, Windows in and of itself is pretty useless. It is only by adding 3rd party software (as Red Hat does) that it becomes useful in any way. So, to judge Red Hat’s complete system offering and its bugs to the worthless nothing that is Windows by itself is not a fair comparison. To make a fair and accurate comparison regarding bugs, you must include IIS, MS SQL Server, Outlook, MS Office, Exchange Server, etc. in the comparison in order for it to even be remotely valid.
Even if you do evaluate the bugs in this way, it still leaves out the fact that you are judging Red Hat based on 3rd party software, but not Microsoft. You are also judging the fact that Red Hat discloses all of their bugs whereas Microsoft does not. You are also not taking into account the fact that Microsoft’s “bug fixes” are single patches that may contain any number of actual fixes. Red Hat doesn’t hide their bug fixes in this manner.
So, if the intent is to drone on about some irrelevant numbers for marketing/FUD purposes, then yes, this is the exact way you would want to go about it. However, if you are trying to achieve a non-biased, purely scientific evaluation of Microsoft vs. Red Hat from a security perspective, nothing in the world could be further from accurate.
https://rhn.redhat.com/errata/rh9-errata.html
2003-06-03 RHSA-2003:187 Updated 2.4 kernel fixes vulnerabilities and driver bugs
Selected Quote
Several security issues have been found that affect the Linux kernel:
Al Viro found a security issue in the tty layer whereby …
Andrea Arcangeli found an issue in the low-level mxcsr code in which a malformed address …..
The TCP/IP fragment reassembly handling allows remote attackers to cause a denial of service ….
In addition, these kernels fix a number of bugs:
Driver bugs fixes are included for the Silicon Image IDE driver, the USB
ohci driver, the Audigy driver, and the driver for the Olympus Camedia
digital camera.
A fix written by Andrew Morton is included to address a system stall caused
by file I/O in rare cases.
An updated fix corrects some bugs in the ptrace security fix for Red Hat
Linux 7.1, 7.2, 7.3, and 8.0…
Updated fixes for the ioperm security issue are also included.
A potential data corruption scenario has been identified. This
scenario can occur under heavy, complex I/O loads…
Red Hat Linux kernel erratum RHSA-2003:172 exposed a bug in the quota
packages for Red Hat Linux 7.1, 7.2 and 7.3;
end of selected quote
this obviously doesn’t count as one of linux’s bugs and by no means a cummulative patch 8-))))
I just updated kernel last weekend, now it is all over again, as I need to use pptp/mppe, so I need to recompile again with MPPE/MPPC patch – with lowly windoze, I just download, reboot
they are facing almost all the technical challenges closed source developers have met. One exeception might be backward compatibility.
In Windows XP, one can still find a DLL called CRTDLL.DLL, which is the C run time library for the NT 3.1 era.
With a linux distro, I have to bet my luck if I brave a GLIBC update, say from 2.2 to 2.3
What matters is the WHAT Red Hat SELLS YOU and is installing by default on a server configuration.
I disagree. Comparing an OS to an OS + DB + Web server + FTP server + a whole lot of other servers is comparing apples and the whole fruit store. You’re looking at it from a marketing exec’s point of view – the box. You’ve shown us that you know better than this, Eugenia.
Also, an interesting point was raised: how many bugs did the one patch from MS fix, and what were the severity of those bugs. Now, how many bugs did the RedHat patches fix, and what were the severity of these bugs. Finally, how much time did it take between the moment the exploits were discovered and the moment the patches were made available. These are the info we need in order to determine who has the better scorecard, here. Anything else is pointless.
So if MS forces OEM’s to bundle Office and other MS applications like DB’s when they sell a server or desktop PC. Should we count all those 3rd party applications that came bundled OS as a MS problem ?
in the rh9 June 03 kernel update, there are around 11 fixes
Red Hat is delivering a massive amount of software along with its distribution IN ADDITION TO the operating system itself, whereas the writer is talking about patches for Windows OS only.
Red Hat, like all Linux vendors, need to publish their patches at once since the minute a problem detected in an open source application, everybody knows it. Microsoft can keep the holes open longer and release a single patch with a lot of corrections.
However, Red Hat could just as easily ship a stripped-down system a make the admins manually install their software.
Well, they do ship one like that: it’s on the same CD, and it’s called a minimal install. Just the OS, nothing else. The Admins can then manually install and configure the needed software.
> Comparing an OS to an OS + DB + Web server + FTP server + a whole lot of other servers is comparing apples and the whole fruit store. You’re looking at it from a marketing exec’s point of view – the box. You’ve shown us that you know better than this, Eugenia.
I am sorry, but I disagree with you. I DO NOT see it from the marketing exec’s point of view, but from the user’s. It does not matter what is an OS and if this or that part is part of the OS or not. What matters is the stuff that get installed from the CD. And surely people who run red hat on their servers do run mysql and apache, and these apps had severe holes as you can see in the red hat pages.
Whatever is coming with the CD, it might be useful and installed by this or the other admin/user. From the moment this gets installed, whatever app that might be that comes WITH the OS CD, is part of the product and it is dangerous for the user if they are insecure.
I rest my case.
When Red Hat releases a packaged set, they inherit (and do voluntarily assume) responsibility for all packages they distribute. Case closed.
Which is exactly what they’re doing by releasing patches for all those non-RedHat package which they distribute! This is actually much more responsible that Microsoft, which will only distribute patches for their own software.
Anon:
No, A) Because Microsoft wouldn’t do this, and B) It would be the OEMs responsibility.
If Microsoft embedded Office into Windows, like they have with IE, then yes.
Everyone keeps saying that Windows doesn’t come with anything, but we are talking about servers here.
Windows Server comes with Active Directory, IIS, RRAS, TS, Windows Media Services, etc….
“Which is exactly what they’re doing by releasing patches for all those non-RedHat package which they distribute! This is actually much more responsible that Microsoft, which will only distribute patches for their own software.”
RH distributes patch for SW they distribute, MS will only distribute patches for their own software – as MS only distributes their own software – same thing to my eyes 8-))
This is innteresting, especially because it shows that no system or inter=related systems are perfect.
I agree with Eugenia and others who said you must be responsible for the content of your product. It does bring out though a philosophical and traditional aspect of OSS and the free software movement. The “Kitchen Sink” distros are inclined to throw in everything because it is in the spirit and philosophy of OSS to do that. And, it is a good thing that some distros do this. But, it isn’t perfect and we have many comments showing how it is difficult to stand by your product if you aren’t really sure how secure some of it is. There is no way out of that, as far as I can see – it is the trade off of having the Kitchen Sink.
I still do think that Eugenia is right though. Ultimately, distributors of linux may have to end up making some decisions about what goes into their distros. The distros trying to get the ordinary user have already done this as it suits their purpose perfectly. I have to admit, it would be kind of sad for the Kitchen Sink distributors because of the spirit and philosophy of OSS. But, now things are getting more and more business oriented and corporations will not care about the ideals of OSS when, above everything else, they want secure systems. For Linux, there may be a separating of the chaff from the wheat in the long run because of this. And, especially true if they want to compete against Microsoft, which has at least the aura of being secure simply because they are so dominant.
Archie, Microsoft releases pathces for EVERYTHING that comes with the OS on Windows Update.
Most of what Redhat distributes packages are open source projects. I sure hope that Redhat doesn’t write the updates and bug fixes, that would be a disaster. Anyway I have no worry about Linux security, infact the security is awesome. I also like how the updates download and install in next to no time. I paid for my distribution, so I get updates, however I’m sure that another way to go is through CVS.
]Hmm, how am I being unprofessional in this thread? I’m not
]giving you a hard time, I am simply responding to your
]comment. I appologize if you feel threatened.
Not this thread. And I’m not threatened, I thought this was just debate.
>Simply writing for OSnews makes me support Microsoft
>more than I ever would have thought. Know why?
>Because I see things fairly and too many of our readers
>hate Microsoft and don’t really know why except that the
>much of the community has them thinking they’re supposed to.
]That’s all well and fine, but what you have to take into
]consideration is that you aren’t always right. Sometimes
]OSS is better, other times it’s not. You assume that the
]majority of your readers are sheep. We aren’t.
Aitvo, if you read this site regularly, you should know I DEFINITELY support open source software. I’m not especiallty a Windows fan, I just take the time to appreciate its benefits the same way I do Red Hat’s, Mandrake’s, etc.
And, by the way, I am really disappointed with some of the people who appropriately got modded down. I am not surpised at anything that is said here, but I am by who some of those people are in this case. I did think they would take a swim in the sewer.
> Anyway I have no worry about Linux security, infact the security is awesome
read this then
http://www.theinquirer.net/?article=9845
…who cares? It doesn’t mean that Redhat is more buggy than Windows or that Windows is now the Holy Grail of security… They’re just facts.
Agreed
actually, with win2k3, one can also find fax server, cd burner, to add two more.
a linux distro could stuff my hd with thousands more features, however, for the most part, I don’t think I will use most of them, even if I knew all of them …
don’t tell me I have more choices, as I find I still couldn’t download a driver for my canon 620 U scanner that works under linux – in this case, that is what really matters – I don’t even have the freedom to use the hardware that I have under linux
I meant I did *not* think they would take a swim in the sewer.
>how many patches are inside MS’ cumulative patch?
Two: http://www.computerworld.com/securitytopics/security/holes/story/0,…
I think both sides have valid points.
It is an unfair comparision to make, as clearly redhat has more value, and more software. However, they should be more responsable, either testing more closley or not including things in the default instalation. They can’t really just blaim the software packages they install.
But just because RedHat is at fault, doesn’t make the comparison fair.
I have not had any security problems in the last 16 months using Linux. I have encountered one single virus on Linux but it wasn’t on my machine. The day that Linux has security problems I’ll know about it immediately because I use Linux. That day has not happened yet.
It’s not because you hadn’t any that they don’t exist. I’m sure that a majority of Windows users never experienced a security breach, you know.
IMO, both OSes are quite secure, but I’m personally more comfortable with OSS ’cause people can audit and fix quickly buggy code and security holes. But hey, that’s just me.
Back when I used MS Windows (BTW is Microsoft still in business?), I had worm virii that forced me to reinstall the platform. I also hated getting updates because they took about 6 – 12 hours to install. I think that’s probably the real reason why MS isn’t realeasing as many patches (if the company still exists).
I’m sorry to keep harping on this, but this logic is flawed. I really don’t care which system has more bugs. As long as either one make me a living, I’m happy with them. But, if we are going to make this comparison, then we need to be accurate and fair about it.
I am sorry, but I disagree with you. I DO NOT see it from the marketing exec’s point of view, but from the user’s. It does not matter what is an OS and if this or that part is part of the OS or not. What matters is the stuff that get installed from the CD.
Then why oh why aren’t you comparing all the other MS products (such as IIS, MS SQL Server, Exchange Server, etc.) with all that Red Hat offers? As I said before, this is not a scientific comparison and you are letting business models get in the way of a fair comparison. Nobody buys just Windows (since that would be useless), so to compare Windows as if it were a complete offering is ludicrous; it is not.
If you are going to compare the two in that way, then the only logical conclusion you can draw is that Windows, while it has slightly less bugs than Red Hat, won’t actually allow you to do anything. If you leave the last part of that sentence off, then your conclusions are unfair and incomplete.
And surely people who run red hat on their servers do run mysql and apache, and these apps had severe holes as you can see in the red hat pages.
And Microsoft products such as IIS and MS SQL Server also had severe holes. What is the point?
Whatever is coming with the CD, it might be useful and installed by this or the other admin/user. From the moment this gets installed, whatever app that might be that comes WITH the OS CD, is part of the product and it is dangerous for the user if they are insecure.
I rest my case.
Then, by that same logic, in a comparison between Red Hat and Windows robustness and usefulness, Red Hat is a very useful and robust operating system, and Windows is shallow and utterly useless. Regardless of the point of view you are trying to take (user’s, marketing’s, etc.), without being accurate and scientific in the way you arrive at your results, your conclusions can be nothing but invalid.
I rest my case.
“In windows, many of my programs will not work *unless* they are run as root (or ‘Administrator’ in Windows speak). I would suspect that about 95% of windows boxes are run as Admin, so are effectively already rooted.”
Spot on. The thought of accessing the Internet as superuser/Administrator/root scares the living daylight out of me. The thought of opening email – what with all the nasties going around – as Administrator ….
You know what I mean.
“OpenBSD has a marketing department, as Bascule mentioned. It’s called Word of Mouth, and that’s not entirely FUD-free either.
“And MS _has_ greatly improved their security record in recent years.”
And Microsoft has a greatly misunderestimated marketing department as well – it is called “Foot and Mouth”. When it occurs in herds of cattle, they get put down.
And Microsoft not infrequently uses it to benefit the F/OSS movement, so one should not be too harsh on them.
N.B. Some say Foot of Mouth, some say Foot in Mouth, some say Foot and Mouth; you are free to make up your own mind.
I expected better out of microsoft. With 22 years of experience and billions of dollars worth of resources, still having bugs still in their products, after 22 years of writing operating systems, is inexcusable.
Eugenia, I am deeply disappointed in your ability to admit when you have made a mistake. Nobody is perfect, nor do we expect you to be. However, I personally have the expectation that you would own up to a mistake when presented with overwhelming evidence that disproves your position. A simple “patch count” is _absolutely no measure of a products security_.
Allow me to turn your argument around. Red Hat Linux is more secure than Microsoft Windows because it had fewer published vulnerabilities.
Can you spot the flaws in the logic now?
1. It does not take into account the fact that vendors place multiple fixes into “single” patches.
2. It does not take into account the severity of any of the exploits.
I won’t even go into the part about your comparison taking into account a larger subset of applications and packages on one side of the equation than the other. Ignoring this additional problem, and simply using the two points above, can you not see the logical fallacy?
It is not a weakness to say “I was wrong”. Unless you are just trying to drive hits. 🙁
So if you are not surfing the web with your server it’s not even a problem. The first “real” security hole with 2003 server will be a remote one.
yeah this is just a local hole. IE is disabled by standard. And you need to visit pages that exploit this hole to be invected.
http://www.microsoft.com/security/security_bulletins/ms03-020.asp
Read it. It is for Internet Explorer 5.01, 5.5, and 6.0! Not something that is 2k3 really, just anything that has IE6 on it. Misleading biased headline.
Another patch for IE after 2k3 had gone gold:
http://www.microsoft.com/security/security_bulletins/ms03-015.asp
So this would be a second one? Point is who cares. MS still has buggy software and OSNews has biased headlines just like usual.
Comparing Windows Server 2003 with Red Hat Linux 9 is not unfair, but really is like comparing apples and oranges. You should have choosed Red Hat Enterprise Linux ES, which is the release more similar to Win2003, and has been released in the same timeframe.
Things would haven’t changed, for the ES edition has roughly 30 errata too, but you would have avoided lots of noise in the comments.
… through this :
<input type=”IIS hax0r kernel0rz” />
Use it to load mspaint, and use that to hack admin .. no wait … its probably already running as admin …
Anyone here want to disagree with me?
Eugenia and many of you, your comments s*c_ …
…cos reading this thread made me loose time that could have been far better spent.
Eugenia is right. Red Hat IS responsible for everything they ship in their products. They do live up to that resposibility by releasing patches for all those things.
MS also takes full “responsibility” by releasing patches. MS also usually waits until they have a patch ready before they announce it. Why? Announcing a security hole without having a patch ready is an open invitation to wormmakers and script-kiddies. Why does MS take longer time to release a patch? Cos their software have more integration and fewer systems are bolted on they way the are on your average Linux distro. More integration => a change requires more testing so that it wont cause a security problem on another end.
This integration is MS biggest security problem and they know it. Integration gives ease of use for the end user.
Now that said, you can’t make a direct comparison between Red Hat and Windows server. Now you can argue all you friggin want about cheap OSes with CDs containing everything but the kitchen-whatever and compare the “bare-bone” price of a Windows installation. Now AFAIK, Apache, MySQL, PHP etc also have free versions for Windows. What it all boils down to in the end is … nothing. You can’t compare them and come to valid conclusions UNLESS you strip both systems (that includes removing IE etc access from Windows) to the minimum state and then see which does/is whatever and that is always pointless as noone uses a system with no apps/servers on it.
Patchcount is a number game and have absolutely zilch to do with security! You can prove everything and nothing with statistics. In this case it all comes down to FUD and zealotry and I still don’t know which is worse but I’m leaning towards zealotry.
About MS spyware: remember Carls Sagan? He said “The absence of evidence is no evidence for absence” and that is true. This also goes both ways! The is no spyware until it has been proven so (I’ve not seen any clear proofs sofar) and just because it hasen’t been prooven so doesn’t mean that it isn’t possible. I know I’m asking for far too much when conspiracy believers are present, but please stop the FUD.
Just to let you know, Windows servers (2k or 2k3) can be easily configured to, even without a firewall to protect it, serve content on a University network without being hacked for more than 3 years. Those two servers requires about the same amount of maintenance/server as the FreeBSD and Linux servers we use. Point I want to make… you need knowledge, regardless of what server OS you want to use.
There… now I’ve wasted even more of both my own and your time by replying but it was in the intent of perhaps avoiding such a discussion in the future… oh what the hell, who am I kidding! Get out and enjoy the sun and use whatever OS that suits you and your knowledge!
Thanks for the reply, but you didn’t answer any of my questions. 😉
Too much to read, but on the first 5-6 pages it was always talk about bugcounts. Whatever.
But…
IT IS A FREAKIN’ PATCH FOR INTERNET EXPLORER! The server doesn’t run IE unless there’s a moron logged on and surfing the web! Goddamnit! This patch is such a non-issue, and yet it generated so much fuzz here!
It will only be a matter of time before win 2003 srv gets virii.
This is often very damaging because of the bandwith and
file curruption virii use. Then its many hours work to clean
the system of reload it from a backup.
Eugenia is right. 30 hole in redhat is 30 holes no matter how
you look at it.
Win 2003 has only had 2 patches.
LETS ALL WAIT UNTIL “A YEAR WITH WIN 2003 SRV” REVIEW COMES OUT.
gnupg, cups, kde, mysql etc etc etc.
all this packages don’t belong to the operating system
I’m glad I saw that list of Red Hat patches!
Do you realise that a bug in the Kanji emulator for the console could allow a hacker to gain local root privilages!!!!!!
I’m sure there are so many people on the planet who are likely to be affected by this, so I’m glad they fixed it before any exploits have been written.
Less then ten patches. All of these patches were to fix vulnerabilities in the services that we run on that server.
From what I understand you run this web-site full-time, Eugenia, and likely haven’t held a SysAdmin position within a major or small corporation. Which very seriously degrades your opinion on the number of patches.
For instance, if you were running Red Hat simply as a desktop, after killing/removing or never installing any of the server patches, you will find very few patches required for you system.
Again, as a Systems Administrator, depending upon the services that you are running on your server, you may only need to apply a very small number of patches to the system.
You have to compare apples to apples. If Microsoft Windows Server 2003 came with all of the types of software that comes with Red Hat (any version), then Microsoft would have just as many, if not more patches available for it. Such is the conundrum of complex software.
Currently, there is almost no way to write code that won’t have bugs or vulnerabilities in it. Unless one takes years and years to develop a package prior to release and even then, it is still going to have one or two little issues.
Eugenia wrote:
> It doesn’t matter WHERE the hole is. All that matters is the PRODUCT and what that offers.
If that is the case, Eugenia, make sure to include Internet Explorer (part of the OS, you know), Outlook Express, and IIS flaws that get bundled with all Windows OS. You should also include the 90+% of all viruses, Trojan horses, worms, and backdoors that only affect all Windows products.
Comparing a Linux distro that contains more applications than Microsoft even creates is not an apples to apples comparison, not matter how you spin it. Let’s not forget that when I install Linux, I only include what is needed for that particular system so many apps are not installed. When you install Windows, Microsoft loads many unnecessary apps by default. A web browser on a server? Give me a break.
Heck, why not just go all the way and inteprete an operating system as Windows + Microsoft Office + IE + Media Player + Microsoft Plus + their whole gaming line + any other software they sell.
WOW, they now have more patches than Linux! aren’t I smart.
Please, there is a difference between issuing a patch and the patch actually working, something Microsoft has never been able to grasp in its many years of existance.
You can’t compare Windows to Redhat and make a generalization that Windows is better than Linux. Linux is more secure than windows. Both platforms have buggy software though, and Linux fixes the bugs quicker because it is open source, who knows what Microsoft has hiding still. My Linux box has been more stable than any computer that I have put Windows on, all the way up to XP. Windows is losing the race, 2k3 will be shot down just like the rest of their releases. Hats off to tux, Microsoft can go fuck itself.
“Then why oh why aren’t you comparing all the other MS products (such as IIS, MS SQL Server, Exchange Server, etc.) with all that Red Hat offers? As I said before, this is not a scientific comparison and you are letting business models get in the way of a fair comparison. Nobody buys just Windows (since that would be useless), so to compare Windows as if it were a complete offering is ludicrous; it is not.
If you are going to compare the two in that way, then the only logical conclusion you can draw is that Windows, while it has slightly less bugs than Red Hat, won’t actually allow you to do anything. If you leave the last part of that sentence off, then your conclusions are unfair and incomplete.”
i agree. i find it funny that one of the great advantages of linux, means that the distributions are providing nearly all the needed software for free, is now turned as a negative against it or them…
c’mon, what would you prefer-red hat looking over all the programs they provide, means hiring several dozens additional hackers, therefore needing to increase prices or even going out of business (or giving up the “normal” red hat), alternatively just shipping a working equivalent to windows (means without any office-suite etc.) so that one has to download all the stuff manually from the net, or keeping it like it is, means distributed maintaining and quick bugfixes as well as low prices (does mfst provide a possibility to get xp and office for free, and then providing free support for it as red hat does)?!
my linuxinstallation might have not less bugs than my windowsinstallation, but nevertheless i feel more secure, because bugfixing or oss in general is just so much more transparent, and many more eyes are looking at the sourcecode.
the choice is yours…
I want you to do something. Install Windows, and then ONLY use what comes with it. You can’t install anything else at all. A lot of Solitaire and the occasional IE, go wordpad! Oh yeah you cant install drivers either, that may make your system unstable. The point I am trying to make is that without software an OS is useless.If red hat (or my favorite, SuSE) give you a ton of software, most of which isnt installed then yes their will be more security updates, because the system can do more. But with windows they are not counting all the other programs like Office which is installed on most OSes(ahem Outlook), nor are they counting viruses)
Redhat can not be responsible for all of that software, but they can be responsible for providing service, for responding to bug reports and for asking open source project developers for patches. They can test, and deploy a patch, and also express user requirments to the developer community, but how can they manage all of the research and development? Redhat is a partner with Oracle, and that’s what the Advanced Server is all about. When Redhat tries to take over the research and development for large open source projects, they are out of their league. Redhat tends to specialize in service and making partners with some of the big vendors like IBM and Oracle, maybe also Sun Microsystems. I don’t think that Redhats developers maintain very many of the large research projects (their partners do), so they can’t be liable, on the other hand, they should want to maintain good service, so it is in their interest to support their customers with responsible and prompt packaging of fixes that the open source community writes.
I think that Redhat does the packaging.
It should also be pointed out that under it’s default configuration Win2k3 is _NOT_ effect by this security hole.
We need a button on the front page of OSNews for each story that will take us directly to the moderated down posts for that story, it will make it much easier to best conversations regarding the story.
This turned into an evangelical battle of operating systems (which I am almost unwilling to call Linux, as it is a kernel, which has utilities added to make a distribution). At any rate, I would think a primary concern of most SysAdmins would be making sure their software is up-to-date and exploit free, not ridiculing software that they themselves don’t even use. Why do Linux zealots invariably slag Windows? Or Windowsheads inoculate themselves against the open source “virus” (in case you hadn’t noticed, that was sarcasm)? Could it be insecurity? (I really love that amphibolous double entendre…)
sometimes you have to be a little controversial.
you go girl!
p.s. Redhat should put in big letters on the outside of the box.
“This collection of software includes thousands of programs, including utilities, games and servers. Patches for all of them are available online.”
Redhat packages (rpm’s) the updates for their distribution and provides the updates to RHN subscribers.
> OpenBSD spanks them all though
If it doesn’t support SMP then it doesn’t belong in the enterprise except for a firewall.
Enjoy!
>You are WAY off base Eugenia.
If it is someone that is way off base, this is you.
>Apache does not come from RedHat.
>MySQL does not come from RedHat
>and almost none of the other 30 RedHat patches actually >were for software originating from RedHat.
You don’t understand the meat here: IT DOES NOT matter who wrote what! It does not!
What matters is the WHAT Red Hat SELLS YOU and is installing by default on a server configuration.
No, I don’t think it’s fair to compare like that. Alright you can claim it is a product bundled from a single vendor as Red Hat, but it’s a complete OS + application system, whereas Win2k3 Server is an OS + IIS and maybe a few extras. The really fair comparison is Win2k3 + MS SQL Server 200x + Exchange Server 200x + any other MS server products to compare with Red Hat Linux in counting bugs/security holes – since only then they both offer the same level of functionality.
This turned into an evangelical battle of operating systems
I don’t think that is an accurate evaluation of the discussion. The topic of discussion is not which system is better, but rather regarding the proper way to compare the two.
(which I am almost unwilling to call Linux, as it is a kernel, which has utilities added to make a distribution).
There’s no need to go and get all pedantic on us.
At any rate, I would think a primary concern of most SysAdmins would be making sure their software is up-to-date and exploit free, not ridiculing software that they themselves don’t even use. Why do Linux zealots invariably slag Windows? Or Windowsheads inoculate themselves against the open source “virus” (in case you hadn’t noticed, that was sarcasm)?
I don’t think anyone has spoken zealously, but rather offered some valid reasons why Eugenia’s comparison of Red Hat vs. Windows security is fundamentally flawed; or offered support for Eugenia’s stance. Taking one side or the other in a discussion such as this can hardly be labelled zealous (well, unless you are a politician, then such unwarranted and baseless name calling is unobjectionable; nay de rigueur).
Could it be insecurity? (I really love that amphibolous double entendre…)
I really love the superfluous adjective used to modify a noun of the same general meaning.
Cheers
No, I don’t think it’s fair to compare like that. Alright you can claim it is a product bundled from a single vendor as Red Hat, but it’s a complete OS + application system, whereas Win2k3 Server is an OS + IIS and maybe a few extras. The really fair comparison is Win2k3 + MS SQL Server 200x + Exchange Server 200x + any other MS server products to compare with Red Hat Linux in counting bugs/security holes – since only then they both offer the same level of functionality.
You are exactly right. Microsoft does sell a DB server, an IM client, an email server and client, development tools, etc. just the same as Red Hat does. The only difference is the business model that each of these companies choose to implement — Red Hat gives you a ton of software as part of their base package, while Microsoft charges you an arm and a leg for each separate offering (which sucks if you need more than two products).
Eugenia should not let a business model get in the way of a fair comparison, in my opinion.
Oh, I love that, “Microsoft charges you an arm and a leg…”
I hate to tell you this, but Microsoft is usually the cheapest solution in server software.
The reason RedHat has had 30 security patches is because it is based of of basically the same Kernel as the previous versions. The reason 2003 has only one patch is because its userbase is VERY small. Lets compare apples to apples here people.
What are you comparing to? SQL Server, Oracle, and DB2 perhaps (The lines blur a bit when licensing SQL Server these days, but it’s still cheaper). I don’t really see any other instance where it’s cheaper.
We are talking about Windows vs. Red Hat right? Under that comparison, Windows (and all its solutions) are much more expensive.
To illustrate, I have spent a few moments looking up web prices for several MS offerings. I assume with work one could find them cheaper, but with work you can get Red Hat’s solutions cheaper too so I think it is a fair comparison. Since Red Hat’s offerings do not limit you to a certain number of clients, I chose the CPU based licensing wherever possible. Here’s what I found:
Exchange 5 CAL = $999.95
Exchange 25 CAL = $6,495.00
Windows 2003 Server 5 CLT = $959.00
VisualStudio Enterprise Developer Ed. = $1,799.00
SQL Server Enterprise (one CPU license) = $19,999.00
SQL Server Standard (one CPU license) = $4,999.00
Red Hat Advance Server = $2,499.00
So, if you have a medium sized organization of 400 people, the Microsoft offerings can become quite expensive (hence the arm and a leg figure of speech, which caused you to reply). As a bonus, for the $2,499.00 price of Red Hat AS, you get a nice clustering solution and Itanium support too.
So, as you can see, Microsoft is not anywhere near the cheapest server solution.
To be realistic you’d have to add lots of additional apps to windows to get the same level of usability as you get in redhat 9. It doesn’t matter to me as a user if the base install of windows has less security issues, if I have to add lots of other apps (with additional security issues) to be able to use it.