Testing Patch Distributions

By Peter Galli  |  Posted 2006-01-11 Print this article Print

Asked what information Microsoft has gleaned from this research, Hilf said, "Overall, we found there are pros and cons to the way commercial Linux distributions manage patches and updates. Many of the issues we saw on the Linux distributions came up when we added additional open-source software to the system." The number of updates for the many software distributions is also less important to Hilf than the bigger picture, which shows that it is not just Microsoft software that has to be regularly patched and updated. "Patching and updating is part of life in the data center regardless of the operating system or platform software," he said.
That being said, he pointed eWEEK to the data the different software vendors have provided on the Web. "On the security front," he said, "the number of security bulletins/advisories issued in 2005, including all severity ratings, ranged from 168 bulletins for Red Hat Enterprise Linux 4 to 134 for Red Hat Enterprise Linux 3 and 55 for Microsoft.
"Again, this really shows that patching, particularly for security, is not a Microsoft problem, but something that affects all operating system and platform vendors," Hilf said. But Red Hats Cox dismissed this comparison out-of-hand, saying that the Microsoft and Red Hat advisories were at different levels of abstraction, so no direct comparison is meaningful. "Even vulnerability counts normalized, say, to CVE names are hard to compare given the difference in software shipped by each vendor," Cox said. "Although we shipped 168 security advisories for RHEL4 in the year, only 17 of the underlying vulnerabilities were of critical severity [using the same scales as Microsoft for vulnerability severity]." Of those 17 critical vulnerabilities, Red Hat made fixes for every one of them available to customers via the Red Hat Network within two days of the vulnerabilities being known to the public, with 87 percent of them being available the first day. "These sorts of statistics give customers a much better feeling for the risk and exposure theyll be taking when choosing a platform," he said. "Of course, we could reduce the number of advisories by batching issues into a single update every month, or by not fixing those vulnerabilities rated as low severity, but that is actually detrimental and increases the risk to customers. Were not going to play the numbers game with our customers." In addition, Cox pointed out that Red Hat is often far quicker to respond to security issues affecting its customers. In late 2005 when flaws were found in Macromedias Flash Player, Red Hat took responsibility for providing users with a vulnerable version of the Flash plug-in and made an update available, he said. Red Hat Enterprise Linux customers who had installed the Flash Player got their update by using the Red Hat Network or through their automated updates in the usual way, so no special actions were required. Customers who had installed the player even got a customized notification from Red Hat Network telling them which of their systems needed updating, Cox said. Next Page: Responding to security alerts.

Peter Galli has been a financial/technology reporter for 12 years at leading publications in South Africa, the UK and the US. He has been Investment Editor of South Africa's Business Day Newspaper, the sister publication of the Financial Times of London.

He was also Group Financial Communications Manager for First National Bank, the second largest banking group in South Africa before moving on to become Executive News Editor of Business Report, the largest daily financial newspaper in South Africa, owned by the global Independent Newspapers group.

He was responsible for a national reporting team of 20 based in four bureaus. He also edited and contributed to its weekly technology page, and launched a financial and technology radio service supplying daily news bulletins to the national broadcaster, the South African Broadcasting Corporation, which were then distributed to some 50 radio stations across the country.

He was then transferred to San Francisco as Business Report's U.S. Correspondent to cover Silicon Valley, trade and finance between the US, Europe and emerging markets like South Africa. After serving that role for more than two years, he joined eWeek as a Senior Editor, covering software platforms in August 2000.

He has comprehensively covered Microsoft and its Windows and .Net platforms, as well as the many legal challenges it has faced. He has also focused on Sun Microsystems and its Solaris operating environment, Java and Unix offerings. He covers developments in the open source community, particularly around the Linux kernel and the effects it will have on the enterprise.

He has written extensively about new products for the Linux and Unix platforms, the development of open standards and critically looked at the potential Linux has to offer an alternative operating system and platform to Windows, .Net and Unix-based solutions like Solaris.

His interviews with senior industry executives include Microsoft CEO Steve Ballmer, Linus Torvalds, the original developer of the Linux operating system, Sun CEO Scot McNealy, and Bill Zeitler, a senior vice president at IBM.

For numerous examples of his writing you can search under his name at the eWEEK Website at www.eweek.com.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel