[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011
- To: "Edward W. Ray" <support@xxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011
- From: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
- Date: Wed, 14 Apr 2004 08:37:44 -0700
> I use Linux, OpenBSD and Windows in my enterprise. Linux and OpenBSD use
> the "1 patch for 1 vulnerability" rule. Seems to me that MS is bunching
> their patches together in order to make it seem on the surface that Windows
> has less patches than other Oses, therefore it is more secure. CIOs, take
> note.
Yeah, this is pretty disgusting.
Seemingly harmless in application, but when you consider features often
creep into patches in M$ software, it makes it extremely difficult to
test a single mega-patch like this on a few thousand systems with
different configurations and custom software installations. I can tell
you first hand, that dealing with them in bunches severely slows the
patch release process in enterprise environments.
And I don't buy "its easier if it is all together". If your patch
management system doesn't suck, any number of seperate patches can be
applied just as easily as a subset of them.
tim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html