Bill Gates: Windows Patched Faster than Linux

petard writes "In a very interesting interview published by the Register, Bill Gates made several interesting claims about Longhorn. Many of them have been extensively covered recently, including plans to force users to patch automatically. Surprisingly, everyone seems to have overlooked his statement that Microsoft fixes bugs faster than Linux developers do. 'We've gone from little over 40 hours on average to 24 hours. With Linux, that would be a couple of weeks on average.' Either he's lying or woefully misinformed; their recent performance seems to be more on the order of 3+ months, or over 2000 hours."

Linux the kernel or Linux the system?

[Mark19960]

It seems that Microsoft is attacking the system, not the kernel.
I havent really heard anything about Linux, really.
I have heard about the SSH issues, ect, but never about Linux. SSH, OpenSSH,ect. are just parts of a Linux system, or BSD for that matter.
has there actually been a Linux KERNEL exploit in the last few years?
and besides, when there is a Linux KERNEL exploit its fixed in hours, or minutes! I think it would be impossible for M$ to match that.
this article qualifies for more M$ Fud.

Re:Linux the kernel or Linux the system?

OpenSSH is a part of Linux as much as RPC or Windows Messaging is a part of Windows.

Not true. OpenSSH is third party software, to fill a specific task. RPC is vendor provided software that the system (says it) won't function without.

Microsoft has been good lately about doing proactive security reviews, and they often find holes before anyone else does.

*cough cough* Now there's a stretch. From the Microsoft security list:

• Greg Jones of KPMG UK (http://www.kpmg.co.uk) and Cesar Cerrudo (cesarc56@yahoo.com) for reporting the issue described in MS03-042.
  
• The Last Stage of Delirium Research Group (http://lsd-pl.net) for reporting the issue in MS03-043.
  
• David Litchfield of Next Generation Security Software Ltd. (http://www.nextgenss.com) for reporting the issue in MS03-044
  
• Brett Moore of Security-Assessment.com (http://www.security-assessment.com) for reporting the issue in MS03-045
  
• Joao Gouveia (joao.gouveia@vodafone.com) for reporting the issue described in MS03-046
  
• Ory Segal of Sanctum Inc. (http://www.sanctuminc.com/) for reporting the issue described in MS03-047
  

That's just the six most recent vulnerabilities. Older items sometimes don't mention the part played by others, but merely list them as acknowledgements, such as:

• eEye Digital Security (http://www.eeye.com/html)
  
• NSFOCUS Security Team (http://www.nsfocus.com)
  
• Xue Yong Zhi and Renaud Deraison from Tenable Network Security (http://www.tenablesecurity.com)
  
• Jim Bassett of Practitioners Publishing Company (http://www.ppcnet.com)
  
• Mike Price of Foundstone Labs, http://www.foundstone.com
  
• Oliver Lavery (oliver.lavery@sympatico.ca)
  

It's almost impossible to find a vulnerability that Microsoft found and fixed entirely by themselves. Mod parent down.

Re:Linux the kernel or Linux the system?

[Qzukk]

OpenSSH is a part of Linux as much as RPC or Windows Messaging is a part of Windows.

Wow, you mean theres no way at all I could run a box without OpenSSH? You should tell that to my workstation I'm writing this on right this second.

Sure, you can turn off RPC after you install windows, but I had Debian installed without any servers at all. Do you think you could log in and shut off RPC fast enough to avoid picking up a worm or two while on a network (like, say, when you register XP over the internet)? Just to let you know, my friend brought his laptop over and hooked it to the internet for the first time, and he picked up the worm while we were still waiting for windows update to get started downloading the fixes.

they often find holes before anyone else does. Linux mostly seems to do reactive fixes

Define "before anyone else does". You mean some indeterminate time between some group with a zero-disclosure policy discovers the bug and reports it directly to microsoft months ago and when Bored College Student discovers it a week ago and takes down his school's registrar's office? Just because the bug doesn't show up on major-name-brand buglists doesn't mean people don't know about it. Take the recent OpenSSH bug, there were exploits in the wild and rumors of it being used long before the bug itself was announced.

So, given microsoft's history of whining at the full-disclosure lists where its obvious that microsoft takes weeks to months to patch a problem, isn't it obvious that they much prefer the zero-disclosure method where they take weeks to months to patch a problem but you don't know about it?

Microsoft has been good lately about doing proactive security reviews

The only reason we got a half-dozen patches this week was because Microsoft was already fixing two holes in a row in the RPC code that someone else found. If this had been policy, then IIS would have been entirely fixed within weeks of the first bug in it, and it wouldn't be the bug-ridden unused pile of junk it is now (which disproves the old saying that "if it was more popular there would be more attacks for it" which doesn't hold for apache). But alas, nobody took the time to proactively fix IIS, or much of anything else Microsoft has released. Though its hard to tell what all is getting patched these days since Microsoft has dumbed down their patches to the point where they read "install this patch or a remote attacker could take over your system" and be completely devoid of any information whatsoever.

Bah! The suits at Microsoft are running scared

[Trolling4Dollars]

Why do you think they are giving Linux so much attention these days? I think this means we are now in between the "They laughed at us" and "They tried to fight us" part.

And if we follow Mahatma Gandhi's approach, the best approach is to keep doing what we do while letting MS bash away. Eventually it will become quite evident as to which side is interested in doing good for their fellow man.

RPC vulnerability returns. AGAIN!!!

[FreeLinux]

There were 7 updates yesterday!

And none of those updates covered the RPC vulnerability, again! That's right the Microsoft RPC vulnerability that has already been patched twice is STILL vulnerable and an exploit exists. Word is that Microsoft has been informed but, as usual, no word from Microsoft yet. The notification was sent 10 days ago.

So much for 24 hour patches. On the other hand, I must admit that I have no desire to reboot my servers every 24 hours so, it's just as well that Bill isn't as fast as he says he is.

I wonder if they will actually fix RPC on the third attempt.

Re:Someone RAM Bill

[protohiro1]

I did some research because I am a geek. The earliest post on usnet is from 1992 and it is someones sig. The closest real, attributed reference that might be the origination of this I could find is this:

It's certainly enough memory. The Mac started out with 64K, which is one sixteenth of what the Lisa started out with. Because the Mac's bit map is smaller than the Lisa's, we thought we could do something with that amount of memory. But we were pushing for 128K all the way, and about a year ago we switched to 128K. We figured out how to squeeze the applications down to that size.

When you're writing applications that are going to be simple to use, it's important to have some boundaries that prevent you from throwing in an unlimited number of features; the memory size provides that limit. Certainly what we've got in terms of Multichart, Multifile, Multiplan, and Microsoft BASIC on the Mac are as rich as on any other machine we've seen. I think the people at Apple would openly admit that Plan, File, and Chart are more powerful than their equivalents on the Lisa, and yet they run on an eighth as much memory.

When you do get more memory, you'll be able to have multiple applications active or have more data space available. It's partly those boundaries that have forced us to find more clever ways to do things and stay within the memory size. It's caused us to be more innovative than we would have been if we'd had a megabyte.

-- Bill Gates, interviewed by David Bunnell in Macworld, volume 1, issue 1, 1984, pages 44-45.

Re:Forced patches?

[mikeswi]

Many of them(solutions) have been extensively covered recently, including plans to force users to patch automatically.

Yea, I don't forsee any potential problems with that plan.

I think the original post is misleading. Gates didn't say anything about forcing updates. He said that by default they would be installed automatically. There was no mention of forcing that.

From the article:

Microsoft is also going to make sure that people install firewalls and updates by default. "None of the security problems recently affected people who had their software up to date," Gates said. "But we made it too complex for most people. Critical security patches should be applied with the speed of the internet."

From now on, Microsoft will install these patches automatically. And it will bring the size of the patches down to satisfactory portions. "We used to send megabytes of software to fix a 20 byte file," Gates said.

That's fine by me. Make it the default but leave a way to turn it off for those who wish to. Microsoft has a habit of puting out buggy patches that create worse problems than whatever they are fixing.

I wouldn't even mind if they made the off switch hard to find. If someone can't figure out on your own how to turn the thing off, most likely they are exactly the type that needs it turned on.

Re:YA *I* think he's referring to...

[Mattcelt]

My thoughts exactly. The fact is, MS usually waits until it is ready to release a patch before it announces the vulnerability, and whines loudly when someone decides to notify the user community before the hotfix is available.

The problem is, the bug may be discovered independently by some knowledgable crackers and taken advantage of for months while stolid MS works at its own pace to 'fix' the problem. (Which, incidentally, often a) doesn't fix the whole problem, or b) introduces other problems.)

Worse yet, when the user community doesn't have knowledge of a problem and a cracker does, the user, who may have been able to obviate the problem through another means (blocking RPC at the firewall, or whatever), is now left defenseless until MS gets around to telling them about the problem.

So if MS can keep everybody's mouth shut about the problem until it's ready to release the patch, of course they're going to have an incredible record for getting patches out quickly.

Crediting MS Trolling

[_Sprocket_]

You guys... tout how "open source is great because problems get fixed right away!", but when MS catches up to that, all you can focus on is Bill Gates making a comment about Linux that isn't favorable.

You're right. Microsoft has gotten better. Whether they've caught up is a point for debate. But at least they have generally improved their reaction speed. Let's give credit where its due.

Now - issues such as ignored bugs, fundimental design flaws, non-patches, destructive patches, so-called Responsible Disclosure, "I wish those people just would be quiet", etc are all fodder for other holy wars.

Geez, you guys find fault in every attempt Microsoft makes to address the issues you all have been noisy about.

Heaven forbid someone think that Microsoft's attempts to "address the issues" might be anything but. You refer to this whole article as an Anti-MS troll. Pray tell what you think Mr. Gate's statement is. How does Linux play in to the improvment of Microsoft's commitment to a secure product?

Instead of trying to get in a (questionable) jab at Linux... perhapse he could have referred to his own company's record. Something along the lines of "We've gone from little over 40 hours on average to 24 hours. We've really improved since the mid-90s and Windows NT when we didn't really have any focus on security."

But hey - that's just not Mr. Gate's style. And I'm sure he's got quite a following of fanboys who call that "agressive" and "good business". Even as they snear at "Linux zealots" and "anti-MS" criticism.

Re:YA *I* think he's referring to...

[Penguinshit]

IIRC, I got my Debian SSH and Sendmail patches same-day. I have NEVER seen Microsoft even respond to a bug submission that fast, let alone release a working patch.

Re:Lying or Misinformed?

[EvilTwinSkippy]

You have obviously never rolled out a new version of Windows or Office. I've had all of those problems, AND MORE. And that's from the same vendor with the same supposed product.

I have set up Linux and Windows workstations in production environments. Hell, most of the people who use my Linux terminals are oblivious to what's running underneath, save that it is windows. Is it a drop in replacement for Windows: hell no. Can it work on a large scale: hell yes. Do you realize that certain design assumptions built into windows are utterly assine: only if you did it right.

Your first sign of trouble is a "week long rollout." For god sakes, It's taken our organization 3 years to migrate to 2000. And that's only 300 workstations. We are installing Linux on our end-of-life machines and setting it up in a few public labs for people to beat on. I find out what people break (or percieve as broken) before I reformat one machine.

And for the record, if you are migrating to Linux to save money you missed the point.

Re:he's probably not lying...

[sheldon]

"And most likely, it's being mis-measured by someone."

It's certainly being mismeasured by the Linux community. While I haven't done a thorough study, I make note of a Konqueror patch that came out last year.

- Linux community touted it as proof patches were fast, because it was into the source tree in 90 minutes
- It took one month before KDE released a new binary compiled with the patch
- It took an additional month before Redhat incorporated this into a patch for their Linux distribution.

The issue also impacted IE, and it took Microsoft two weeks to release a binary patch on Windows Update.

The Linux community claimed 90 minutes, when it was really two months.

Microsoft counted it accurately as two weeks.

Just reporting good news to yourself doesn't make you better.

Re:Maybe?

[Randolpho]

And you're aware of some elusive Open Source software program that "hardly ever" needs a patch?

'cause I still haven't found one. :)