Bill Gates: Windows Patched Faster than Linux

petard writes "In a very interesting interview published by the Register, Bill Gates made several interesting claims about Longhorn. Many of them have been extensively covered recently, including plans to force users to patch automatically. Surprisingly, everyone seems to have overlooked his statement that Microsoft fixes bugs faster than Linux developers do. 'We've gone from little over 40 hours on average to 24 hours. With Linux, that would be a couple of weeks on average.' Either he's lying or woefully misinformed; their recent performance seems to be more on the order of 3+ months, or over 2000 hours."

Re:Someone RAM Bill

[itchy92]

Bill never said the 640K Quote, and I'm willing to bet he never said the 4GB one, either.
I know everytime this quote is used, someone has to debunk it, but there's no reason to perpetuate a false quote by one of the geniuses of our time.

Who Solves Security Problems Faster?

[Crispin+Cowan]

My favorite study on this question was "Linux vs. Microsoft: Who Solves Security Problems Faster?" by Jim Reavis. The data is from 1999 and 2000, but it is nicely systematic. At least back in 2000, Linux was much faster than Microsoft, averaging 11 days vs. 16 days.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution

I vote for "Managing the truth"

[EmbeddedJanitor]

For my sins I've done extensive work with WinCE. Often we've found serious bugs for which no fix ever came about. I've never seen a fix come out in less than a month. When you do get fixes they're in the form of "QFEs". Currently you need to download a gigabyte of this shit to fix WinCE3.0.

In comparison, I've seen Linux fixes come out in less than 30 minutes. Likely having Linux hackers spanning all time zones helps a lot to improve bug fixing time. Report bug at 6pm, patch available 8am.

Re:Patching Faster vs. Patching Easier

[AstroDrabb]

I am not saying that the Linux patching process is cumbersome, but we gotta admit that the average users (not sysadmins) just can't begin to understand how to patch their Linux boxes.

What? Have you ever used Red Hat's up2date tool? It is easier then windows update. It is just a GUI app that you click Next in about 3 times, wait for the new packages to download and your done. What in the world could be hard about that? Red Hat even has a little icon that sits in the notification area and turns a bright red with an exclamation point when there are updates available. Clicking on that brings up the uber-newbie friendly GUI to download them. No terminal (command line) involved. No rebooting involved (unless you upgrade the kernel). You can install ALL the updates at once with NO reboot between them, unlike many MS updates, especially service packs that require a reboot. Please don't mention chain loader, no average Joe is going to be able to use that.

Marketing

[ralphus]

Tricks. It's all tricks.

I recently was in a Microsoft webinar regarding patch management. If you are interested, or a glutton for punishment, this was it. At one point they showed a histogram on the screen that was intended to show vulnerabilities in operating systems and how MS was beating everyone on the planet. Major Microsoft products were all broken down by release, e.g. Windows 20003, Windows XP, Windows 2000, Windows NT, etc.. Linux and BSD were categorized by distribution only, e.g. Redhat, Debian, BSD etc...

Windows 2003 appeared at the far left with only a few vulnerabilities. Windows 2003 was actually the "winner". It even "beat" BSD! Now think about that histogram for a minute. It created false divisions that did an apples to oranges comparison. The sum total of Debian vulnerabilites likely refer to all released versions of a Debian distribution with all possible packages installed while Win2003 likely refers to only a Win2003 retail box installed with the bare minimum options.

Marketing is a black art. I have some personal experience, but NDAs to bind me. It's an art of trying to create and/or shape ideas in the mind of your customers, critics and competitors. The most successful marketing is that which makes them believe they came to the ideas you wish them to hold of their own volition.

Hiding security issues in bundles

[SgtChaireBourne]

That strategy is backed up by what Microsoft chief security officer Stuart Okin said recently, "We have developed a relationship with security researchers to avoid public disclosure of security holes."

It is also backed up with the way they fought against full-disclosure and bundling patches / advisories several years ago. A year later, the bundled patches were spun as a reduced number of vulnerabilities/advisories.

Everyone except the average stockholder knows it's over for Microsoft, especially as it's customers are figuring out that, despite bleatings from the marketing teams, Windows is not ready for the Internet. The bad reputation they've worked so hard to earn in the tech community is now starting to spread to the general public.

A specific example.

[AYeomans]

Let's look at MS03-041, examine the Windows XP Gold patch.

Run "WindowsXP-KB823182-x86-ENU.exe /x" to extract the components.

24 Jul 2003: date of most recent component file
25 Jul 2003: date of patch file (using wget to obtain timestamp).
14 Oct 2003: "Date published" according to Microsoft.

I make that 82 days to release.