Navigate This Site

Philip Ramsey Headlines

Sunday, June 13, 2010

Google researcher gives Microsoft 5 days to fix XP zero-day bug

It is really fascinating to read this article on the latest Windows XP zero-day bug. It appears to be ok for Microsoft cohorts to slam Linux and Open Source Software and paint it as insecure and buggy. But when people from the Linux/Open Source Software/Google community point out security issues with Microsoft products, we become the bad guys for doing so. Many of the security software providers, whose industry would not exist if Microsoft were to implement proper security procedures in the development of the Windows O/S, says it is ok for Windows users to wait at least a month for a patch to be developed and tested before it is made available to the user.

In contrast, the Linux and Open Source community pushes out security patches as soon as it the patches has been developed and tested by a community of volunteer developers world wide. This usually takes five days or less. I have been using Linux as my main operating system on most of my computers for the past three years. Prior to 2006, I used Windows 98 exclusively. In 2006 I was forced to migrate to Windows XP and started experimenting with Linux as a dual boot option.

What I found pleasing with (OpenSuSE) Linux is the fact that they do not have a fixed schedule for providing security or other updates. They simply put out all updated as they become available.  Sometimes I have seen three or four security updates in less than a day while other times I go for months with no security updates for either the operating system or installed software regardless of the source.

In contrast, Microsoft only put out security patches on the second Tuesday of the month. They only provide updates and security patches for the Windows operating system and other Microsoft applications but not to installed third party software and applications.
 
All the security organizations listed in the article has a vested interest in going to bat for Microsoft as these organizations would not exist if it was not for Microsoft's notorious lack of security. If you do not believe me just check our their sites to see if they provide security for Linux. They do not provide security software for Linux because Linux is free or because not enough people use it. The reason they do not provide security software for Linux is the Linux/Open Source Software fixes security issues very quickly, usually within five days of becoming aware of the security issues. As Ormandy pointed out, the Windows security developers work in isolation, which makes it difficult to create effective security patches. Linux/Open Source security software developers collabrate to ensure the security updates for the O/S does not compromise the security of installed applications and vise versa and other installed applications. The longest I have seen a security issue to be fixed in openSuSE is one involving Mozilla Seamonkey. It took about two months to fix. That issue was unique to running Seamonkey in openSuSE and did not affect openSuSE itself or Seamonkey running on other distributions of Linux or Windows.

No comments:

Post a Comment