APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Microsoft comments on security

Fri Aug 29 14:58:31 GMT 2003

This article about Microsoft vs. Linux (link dead, sorry) is interesting in its own right, but a couple of paragraphs from Microsoft's position stand out for me:

Additionally, security vulnerabilities in open-source software, which often go unnoticed with the limited scenarios that actually deploy open-source software, also often remain unaddressed for long periods of time because there is no central organisation driving development. Evaluating open-source software for security is a complex proposition.

Open-source software is now a major source of security vulnerabilities. The Computer Emergency Response Team reported that open-source and Linux software accounted for 16 out of 29 security advisories for the first 10 months of 2002, whereas Microsoft accounted for seven of these 29 advisories.

That's the kind of argument you'd expect Microsoft to make, and the kind that worries me.

I would like to know why evaluating open source software for security is any more complex than evaluating Microsoft software. Certainly more eyes are available, and none of those eyes have to worry about political implications: I'm thinking of a case where fixing a security problem might cause expensive problems for other software. The open source folks wouldn't worry about that at all, but Microsoft certainly would, and might very well delay the fix because of it.

I'd also question the statistics for vulnerabilities. Again, a lot more eyes are looking for problems in open source code, and it's also a matter of record that Microsoft doesn't report problems until their hand is forced. So how valuable are these numbers?

Finally, what about the severity of the vulnerability? Many of these advisories are for obscure situations that may not even apply to commonly used software. On the other hand, Microsoft often gets sucker punched: just two days ago, for example, there are new Internet Explorer Vulnerabilities serious enough to do real damage.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Microsoft comments on security

Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Tony Lawrence

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

He who hasn't hacked assembly language as a youth has no heart. He who does as an adult has no brain. (John Moore)

This post tagged: