Dealing with Security Alerts
"Microsoft customers were left on their own," Cox said. "For several days the only way customers could find out about this issue was from the Microsoft security team Weblog or if they read something in the press about Flash vulnerabilities and realized they had it installed. Later, Microsoft issued an advisory telling customers to visit the Macromedia site to obtain an update." Interestingly, Microsofts Hilf has a personal Red Hat workstation in his office that he uses on a daily basis. He selected a random week in October to provide a snapshot of the updates made to his Red Hat Enterprise Linux workstation over that period. He found that, between Oct. 6, 2005, and Oct. 11, 2005, his workstation was updated 66 times.But Red Hats Cox pointed out that the second update release for RHEL4 was issued Oct. 5, resulting in a very large number of updated packages over the period of a day or two, "which is what Hilf saw. We only issued two Update releases for RHEL4 in 2005, so he was quite unlucky in his choice of a random snapshot," he said, tongue in cheek. Over that six-day period, only three security updates were released, one rated "important" and two rated "moderate," Cox pointed out, adding that from the release of Red Hat Enterprise Linux 4 in February 2005 until Jan. 5, 2006, just 15 of the total 169 security errata package updates for the year were for issues rated "critical." Hilf also downplayed the significance of the number of updates, saying: "Our focus isnt a counting contest; it is to understand the models, the architecture for patching, and the manageability of the process. So I got a load of patches from Red Hat on my Linux workstation over the course of six days in October. Was that a big deal? Not really." Thats because Linux distributions update at a package or component level, so a user is often notified about updates more than Windows users at the component level. When Red Hat releases an update (rather like a Windows service pack), it issues separate advisories for each package updated, giving users the ability to obtain all the updates or to select updates based on their own criteria, Cox said. "Customers may decide to only update for critical and important security issues, for example, and can do so easily using the Red Hat Network," he said. Later this year, Hilf said, he will have about two years of data, "and I expect to have more quantifiable data at that point." Next Page: Analyzing OS security.
"I chose those dates randomly," he said. "I use this system daily, so it was literally a snapshot of a given workweek. All this illustrates is that patching and updating are part of any living software system. It is part of the nature of modern software: Things change, bugs happen, features get added, and software needs to get updated."