Dealing with Security Alerts

By Peter Galli  |  Posted 2006-01-11 Print this article Print

"Microsoft customers were left on their own," Cox said. "For several days the only way customers could find out about this issue was from the Microsoft security team Weblog or if they read something in the press about Flash vulnerabilities and realized they had it installed. Later, Microsoft issued an advisory telling customers to visit the Macromedia site to obtain an update." Interestingly, Microsofts Hilf has a personal Red Hat workstation in his office that he uses on a daily basis. He selected a random week in October to provide a snapshot of the updates made to his Red Hat Enterprise Linux workstation over that period. He found that, between Oct. 6, 2005, and Oct. 11, 2005, his workstation was updated 66 times.
"I chose those dates randomly," he said. "I use this system daily, so it was literally a snapshot of a given workweek. All this illustrates is that patching and updating are part of any living software system. It is part of the nature of modern software: Things change, bugs happen, features get added, and software needs to get updated."
But Red Hats Cox pointed out that the second update release for RHEL4 was issued Oct. 5, resulting in a very large number of updated packages over the period of a day or two, "which is what Hilf saw. We only issued two Update releases for RHEL4 in 2005, so he was quite unlucky in his choice of a random snapshot," he said, tongue in cheek. Over that six-day period, only three security updates were released, one rated "important" and two rated "moderate," Cox pointed out, adding that from the release of Red Hat Enterprise Linux 4 in February 2005 until Jan. 5, 2006, just 15 of the total 169 security errata package updates for the year were for issues rated "critical." Hilf also downplayed the significance of the number of updates, saying: "Our focus isnt a counting contest; it is to understand the models, the architecture for patching, and the manageability of the process. So I got a load of patches from Red Hat on my Linux workstation over the course of six days in October. Was that a big deal? Not really." Thats because Linux distributions update at a package or component level, so a user is often notified about updates more than Windows users at the component level. When Red Hat releases an update (rather like a Windows service pack), it issues separate advisories for each package updated, giving users the ability to obtain all the updates or to select updates based on their own criteria, Cox said. "Customers may decide to only update for critical and important security issues, for example, and can do so easily using the Red Hat Network," he said. Later this year, Hilf said, he will have about two years of data, "and I expect to have more quantifiable data at that point." Next Page: Analyzing OS security.

Peter Galli has been a financial/technology reporter for 12 years at leading publications in South Africa, the UK and the US. He has been Investment Editor of South Africa's Business Day Newspaper, the sister publication of the Financial Times of London.

He was also Group Financial Communications Manager for First National Bank, the second largest banking group in South Africa before moving on to become Executive News Editor of Business Report, the largest daily financial newspaper in South Africa, owned by the global Independent Newspapers group.

He was responsible for a national reporting team of 20 based in four bureaus. He also edited and contributed to its weekly technology page, and launched a financial and technology radio service supplying daily news bulletins to the national broadcaster, the South African Broadcasting Corporation, which were then distributed to some 50 radio stations across the country.

He was then transferred to San Francisco as Business Report's U.S. Correspondent to cover Silicon Valley, trade and finance between the US, Europe and emerging markets like South Africa. After serving that role for more than two years, he joined eWeek as a Senior Editor, covering software platforms in August 2000.

He has comprehensively covered Microsoft and its Windows and .Net platforms, as well as the many legal challenges it has faced. He has also focused on Sun Microsystems and its Solaris operating environment, Java and Unix offerings. He covers developments in the open source community, particularly around the Linux kernel and the effects it will have on the enterprise.

He has written extensively about new products for the Linux and Unix platforms, the development of open standards and critically looked at the potential Linux has to offer an alternative operating system and platform to Windows, .Net and Unix-based solutions like Solaris.

His interviews with senior industry executives include Microsoft CEO Steve Ballmer, Linus Torvalds, the original developer of the Linux operating system, Sun CEO Scot McNealy, and Bill Zeitler, a senior vice president at IBM.

For numerous examples of his writing you can search under his name at the eWEEK Website at


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel