APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Microsoft comments on security

Fri Aug 29 14:58:31 GMT 2003

This article about Microsoft vs. Linux (link dead, sorry) is interesting in its own right, but a couple of paragraphs from Microsoft's position stand out for me:

Additionally, security vulnerabilities in open-source software, which often go unnoticed with the limited scenarios that actually deploy open-source software, also often remain unaddressed for long periods of time because there is no central organisation driving development. Evaluating open-source software for security is a complex proposition.

Open-source software is now a major source of security vulnerabilities. The Computer Emergency Response Team reported that open-source and Linux software accounted for 16 out of 29 security advisories for the first 10 months of 2002, whereas Microsoft accounted for seven of these 29 advisories.

That's the kind of argument you'd expect Microsoft to make, and the kind that worries me.

I would like to know why evaluating open source software for security is any more complex than evaluating Microsoft software. Certainly more eyes are available, and none of those eyes have to worry about political implications: I'm thinking of a case where fixing a security problem might cause expensive problems for other software. The open source folks wouldn't worry about that at all, but Microsoft certainly would, and might very well delay the fix because of it.

I'd also question the statistics for vulnerabilities. Again, a lot more eyes are looking for problems in open source code, and it's also a matter of record that Microsoft doesn't report problems until their hand is forced. So how valuable are these numbers?

Finally, what about the severity of the vulnerability? Many of these advisories are for obscure situations that may not even apply to commonly used software. On the other hand, Microsoft often gets sucker punched: just two days ago, for example, there are new Internet Explorer Vulnerabilities serious enough to do real damage.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Microsoft comments on security




Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Tony Lawrence



Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





The Analytical Engine has no pretentions whatever to originate anything. It can do whatever we know how to order it to perform. (Ada Lovelace)

As soon as an Analytical Engine exists, it will necessarily guide the future course of the science. Whenever any result is sought by its aid, the question will then arise — by what course of calculation can these results be arrived at by the machine in the shortest time? (Charles Babbage)







This post tagged: