MS Security Chief: Windows Never Exploited Until Patch Available 1040
BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."
Oh really? (Score:5, Funny)
"The Sky is green."
"Earth is the center of the universe."
Other ridiculous statements that have also been proven false.
So, let me get this straight, Windows will become more secure if Microsoft stops issuing patches?
Sakes alive, the Microsoft spin machine has been well oiled this morning!
ChaoticChaos
"If Windows wasn't vulnerable until the patch was released, why was the patch released in the first place???"
Re:Oh really? (Score:5, Interesting)
Re:Oh really? (Score:5, Insightful)
Re:Oh really? (Score:5, Insightful)
What this is is security through hiding problems you find and hoping that no one else finds them.
RonB
Re:Oh really? (Score:5, Funny)
Re:Oh really? (Score:5, Funny)
"We think it is due to our patented time-traveling module," quips Steve Balmer.
Re:Oh really? (Score:5, Funny)
It's true! I was copying a file over the LAN the other day, and IE said it had -8342563246 seconds to go!
Microsoft Time (C)(R)(TM)
Where do you want to go yesterday?
Re:Oh really? (Score:5, Funny)
Re:Oh really? (Score:5, Informative)
print "this already exists\n" if ($usingPerl);
Re:Oh really? (Score:5, Funny)
open ( PERLYGATES ) or die "Trying";
Re:Oh really? (Score:5, Funny)
Re:Oh really? (Score:5, Funny)
Re:Oh really? (Score:5, Insightful)
Re:Oh really? (Score:5, Informative)
Re:Oh really? (Score:5, Funny)
Slashdot stories always accurately summarize the content of the linked story, and wouldn't ever misrepresent vulnerabilities are hardly ever exploited before patches are released as "is never vulnerable until a patch appears".
Re:Oh really? (Score:5, Informative)
In the article, it seems quite clear that what they're saying is that most exploits come after the hackers have had a chance to compare patched VS unpatched systems to see what the changes are. But it's not just Microsoft saying this: In other words, I can see the point of view expressed in the article. I disagree with the parent in part (I think the attribution in the Slashdot story is sufficiently accurate) but that the specific (never had vulnerabilities exploited before the patch was known) is probably hyperbole. Hackers might be lazy, but they're not non-existent. There's no way M$ could even KNOW how many exploits have been made.
Re:Oh really? (Score:5, Insightful)
The really scary part is that this wasn't said by some marketing guy like Gates or Ballmer, it was said by the Microsoft Security Chief.
Re:Oh really? (Score:5, Funny)
Re:Oh really? (Score:5, Funny)
then we downloaded damn patch
Could this mean... (Score:5, Funny)
I don't know about you but I confused myself.
Re:Oh really? (Score:5, Funny)
They must have had a delivery of snake oil
Re:Oh really? (Score:5, Funny)
One! One exploit without a patch, and that other one against Internet Explorer.
Okay, two exploits without a patch. Unless you count the many against Outlook Express.
AMONGST THE EXPLOITS WITHOUT A PATCH ARE... Can we start the interview again?
Wrong (Score:5, Insightful)
But now that the patch is out, you can expect hackers to know about the vulnerability and attack you if you don't have the patch.
They are dumb, dont try to play dumber.
Re:Oh really? (Score:5, Insightful)
only Microsoft finds exploits (Score:5, Insightful)
say [pun]"Only Microsoft exploits exploits"[/pun]...
from the article
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."
Here you are. They said it, officially.
I seem to remember that my debian stable is composed of 1-2 years old software, and, regularly patched, will say secure without even have to reboot...
PEOPLE !!! "If you want more secure software, upgrade."
Re:Oh really? (Score:5, Interesting)
Regards,
Steve
Re:Oh really? (Score:5, Insightful)
It's not Microsoft's fault your Windows servers have been hacked, infected and your entire system is down, it's the fault of your IT department for not keeping up to date on the Windows patches. You see Microsoft software is 100% secure as long as you keep up to date on the patches.
I'm not sure whether this is uncertainty or doubt, though.
Re:Oh really? (Score:5, Interesting)
I'm not trying to defend the parent poster to which you replied; but, the reason *anybody* needs to issue a patch even when there are no exploits to begin with is because sooner or later, one will exist.
See, if some researcher finds a hole, he's not the only genius in the world who can find it. Someone else will eventually. If the manufacturer of the product with the newly discovered hole sits on its arse and does not issue a patch, even if no known exploits exist, said manufacturer is leaving its customers vulnerable to attack. This is a disservice to those customers...and one that will lose said customers. Especially when it comes out that the latest worm/crack/etc. exploited a vulnerability the manufacturer knew about for six months, but sat on it instead of fixing it for you.
What Microsoft wants to do, I'm sure, is to make distribution of patches similar to AOL's software update. You turn on your computer, boot up Windows, and it initiates an encrypted conversation with Microsoft HQ...then says to you: "Windows needs updated, please wait..." while it downloads and installs whatever it is Microsoft wants to install on your PC today without telling you what that is.
That would be Microsoft's "security" wet-dream, if you ask me.
Logic??? (Score:5, Insightful)
The real question though is: If the patch can be exploited, is it a patch? Yes, I know that they are analyzing the patch to attack unpatched machines, but to claim that vulnerabilities are not present before patches are released is circular logic.
Post hoc, ergo propter hoc (Score:5, Insightful)
At best, the notion that patches are the source of all exploits is a logical fallacy [datanation.com]. However, I'm sure I'd not be in the minority of /. readers if I opined that Mr. Aucsmith is either lying outright or simply delusional.
I say that since Microsoft has a policy of "eating their own dog food", they should be forced to stand by this ridiculous proclamation and henceforth cease and desist all efforts to patch their code. Thus, all exploitations of buggy MS code will also halt.
Re:Post hoc, ergo propter hoc (Score:5, Insightful)
The problem with this reasoning is that it assumes the only people writing exploits are lazy/clueless enough to wait for someone to tell them what to exploit. It ignores the fact that there is a community of hackers out there actively looking for the holes.
Re:Post hoc, ergo propter hoc (Score:5, Insightful)
I somehow think the quote might have been taking out of context, especially when he states that:-
"Many people reverse engineer the patch and then build the exploit code,"
I have a feeling that the main point of his statement, was that the majority of attacks are on unpatched systems. Certainly when you consider Symantec's Mr Beighton's statement:-
"It's a myth that hackers find the holes,"
He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability.
Which would probably be true, once the problem is widely known, then there is more likliehood for an exploit to be devised. Hence the more devasting attacks such as Code Red were centred around a previously patched exploit.
Simple solution (Score:5, Insightful)
Also liked this quote, from the end of the article:
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."
Hmmm.
Criminal tools like "diff"? (Score:5, Funny)
"The guys who write the tools would not consider themselves to be criminals by any measure," he said, "but the tools are also being picked up by people with criminal intent."
I guess that explains why Windows doesn't include a "diff" function...
Re:Criminal tools like "diff"? (Score:5, Interesting)
fc - from your old DOS days - stands for file compare
I'd check to see if it still exists in Windows, but there aren't any Winboxen around here :-)
Re:Criminal tools like "diff"? (Score:5, Informative)
In other news... (Score:5, Funny)
So... (Score:5, Funny)
So, instead of poor programming it's incompetent management?
An article disproving this... (Score:5, Insightful)
Re:An article disproving this... (Score:5, Interesting)
Nah... God gets questioned more.
(You can even double check me: I can't remember a single instance in the Bible where God's command wasn't questioned...)
Must have a good source for that stuff... (Score:5, Funny)
I love how people with vested interests are called 'experts'
thhhhhhhhhtttt *choke* *gag* "ahhhhhhh" So as I was saying, hackers haven't found any of these flaws and exploited them before they were patched. Man, this is some strong crack, I almost believe what I said, myself"
And how do these fine experts actually know there aren't, at this moment, flaws being exploited left and right? Ah, they're experts, of course!
What happened to the month of March? (Score:5, Funny)
Iraq (Score:5, Funny)
Security is in the eye of the beholder (Score:5, Interesting)
Spin, spun, spend (Score:5, Interesting)
There *must* however be laws against making statements *that* outrageous...
Simon.
Re:Spin, spun, spend (Score:5, Interesting)
If the truth in advertising laws don't cover this, I would think that there are SEC regulations that do, particularly regarding an officer of a publically held company knowingly making false statements to the public. Anyone know when the next insider trading window for Microsoft is scheduled?
Assume for me... (Score:5, Insightful)
-m
Re:Assume for me... (Score:5, Insightful)
Sigh, it's a losing battle arguing with them, and I've pretty much given up.
On the same logic (Score:5, Insightful)
Reply to this post with your street adress and your usual work hours, thanks!
Re:On the same logic (Score:5, Insightful)
A better analogy: It's more likely that a robber will be able to break into your home if he heard you explain how the lock on your door doesn't work terribly well. This sounds more reasonable, and is more like the point he was trying to make.
Re:On the same logic (Score:5, Insightful)
Until someone tries to open the door to see if it is actually properly locked, or gets a tip that it isn't.
Therein lies the flaw of "security through obscurity".
I know exactly the point that he wants to make, it's that if no one talks or reports the security holes it's not a problem. But it IS!
Partly right (Score:5, Insightful)
As soon as they release the patch, every hacker knows 99% of the systems won't be patched for a while, and Microsoft just about gave out what is the problem and how to exploit it.
So I say yes, it is dangerous to say out loud "hey, there is a hole in our system, but we have a patch". I would prefer if they just shut up, and release a "cumulative patch" once in a while.
Just my opinion.
Re:Partly right (Score:5, Insightful)
1) Identify known, 'in the wild' virii, that took advantage of a Microsoft vulnerability before MS announced a patch.
2) Identify how many virii were developed/released using knowledge derived after announcement, or release of, a patch.
Obviously there's way to many viruses to do a complete list, but say the major 10 virii per calendar year, would be a good sample. Case 1 would identify how many vulnerabilities are discovered by hackers through their own active behaviour,wherease Case 2 would help narrow down the % of virii related to script kiddies I think. I suspect the number of virii leveraging net-new vulnerabilities vs clones of existing code are at least 10:1.
In the end, I unforutnately fear that there's alot of truth in Microsoft's statements. It doesn't absolve them of being responsible for developing poor code in the first place, but the correlation they've identified is probably valid.
Re:Partly right (Score:5, Informative)
24 unpatched IE exploits. No patches. Still exploited.
QED.
What the Fuck? What the Fucking Fuck Fuck? (Score:5, Funny)
"Bullshit" doesn't begin to do justice of the level of falsehood present here. We're talking about taking the very essence of falsity, distilling it over the flames of ignorance, condensing it within intestinal walls of monumentally bovine intellectual apathy and sponsoring a college kegger with the elixir-excremento obtained therefrom.
Just one?? Really?! (Score:5, Informative)
XP = Legacy? (Score:5, Funny)
So is that what they're calling WindowsXP now?
They don't get the point... (Score:5, Interesting)
This means, known holes and exploits are available to certain people BEFORE patches exist. Are you willing to bet your business that those "certain people" are ALWAYS good, ethical and honest? There are no intelligent "bad guys" who can do this?
Where are all the "hackers" and "black hats" the media is always screaming about! Please, don't tell me they are ALL script kiddies.
-Charles
P.S. -- How can I ever get "first post" if the damn artitle quotes make me laugh so hard I can't type?
Iraqi Information Minister working for MS? (Score:5, Funny)
"The infidels packets are slaughtering themselves at the ports to our OS"
"There are no exploits against windows, they are all lies from the so called Open Source community"
"We removed the Windows Update site to better serve our loyal followers."
MSFT mentioned!! Slashbot tantrum time!!! (Score:5, Insightful)
There are no doubt circumstances where the super-1337 h4x0r finds an exploit all on his own, I'd imagine through trial and error, but for the most part, they look at windows update and see "This patch resolves a vulnerability in WMP which could allow arbitrary code execution", and they write an exploit for the unpatched boxes.
The MSDN knowledge base is a great source for folks looking for exploits, they very often have step-by-step directions to reproduce the problems.
That's how you get root on linux boxes too, you find people still running an older kernel version, or an old sendmail, ssh, whatever, and hit the known exploits for that version.
And if you want a more secure system, yeah, upgrade. It works that way no matter what your personal philosopy behind your OS choice.
Logic? (Score:5, Funny)
Bug Free == More Secure (Score:5, Interesting)
Patching is great. Patch Management is great. But it doesn't keep the bad guys out, it just stops some worms. But then variants of worms come out.
Clearly worms are a security threat. But there are many other security threats.
Windows is not secure. NT NULL session, NetBIOS attacks (SAM and AD come to mind quickly), and even simple buffer overflows, format string attacks, etc ... these are POPULAR attacks against Windows that attackers are utilizing right now. Even when patched, some of these attacks still work. Why? Inherent network protocol design is part of it. But bugs are a huge part also.
Reverse engineering patches... who needs to even go that far? Any engineer at Microsoft can just query their internal bug tracking system. An attacker could have a friend inside Microsoft who sends her/him a bug report. That friend could also be the target of social engineering. You saw the movie "Sneakers", right?
Others can simply "grep" or "slint" the code. By reading the code, anyone can find a bug and make an exploit out of it. This has been widely done for a long time. It's not an uncommon practice, and it's not difficult.
If coders want to fix security holes in their code, the only real place to start is by fixing the bugs. When Windows runs so smoothly and never app fails or hangs on me, When I no longer hear or see a BSOD, When hell freezes over -- Then Windows will be truly secure.
I can't agree with this statement... (Score:5, Interesting)
I've had my Windows XP system comprimised a couple of times in the most interesting way. Fully patched and running SP1. I've even tightened up IE security to high and restricted what sites can do and firewalled. Despite my best efforts, somehow I must have hit a web site which they downloaded spyware onto my system. I couldn't see it running in the task bar but it was there.
I found it by accident. From download.com I pulled several programs to scan for running processes. I noticed some weird stuff that Bill didn't put there. I didn't put it there also. Took a bit of work but it was eventually killed and I remove the programs from the system.
Microsoft has no explaination for this other than "practice safe browsing". Great. So how is that accomplished using IE?
BTW, Netscape in the same environment and same web sites hasn't given me the same headaches. Oh I"m sure there are problems. At least they are not as blatant as what Microsoft has been shelling out.
ROFLMAO (Score:5, Interesting)
How about they read and follow instructions to write exploits, or download and modify proof of concept code? Sounds a whole lot easier and lazier to me than reverse engineering the patches. And given that many of the script kiddies don't even understand the code that they themselves use...
And that's the head of MS security dept. speaking? Now it all makes sense! At least the BBC had the decency to call them malicious hackers.
Then explain this. (Score:5, Informative)
Mockery aside, how about the counterexamples? (Score:5, Interesting)
I'll start. KB832894 "fixed" the exploits which used the user:password in the URL to authenticate to websites. It was there long, long before the patch (years, in fact).
What other counterexamples do we have to show precisely how wrong Microsoft's statements are?
Re:Mockery aside, how about the counterexamples? (Score:5, Informative)
Back in the original 95 release, MS had a neat little bug. If you shared a folder, it was shared to the outside world by default (as it still is today, but I digress). The only security offered from within Windows was to password-protect the share. Now, the exploit:
Windows 95, and also at least the original 98, both contained a bug in which only the first character of the password had to be guessed. So, if your password was "Slashdot", I could get into your share by simply using "s". Yup, 26 tries and I'm in (iirc windows passwords have to start with a letter, but even if not, the ascii character set isn't that big). Forget dictionary attacks on the password, you were basically in within a second - and of course denied logins didn't count against you.
The patch for this wasn't released until well after 98 was on the market, which meant it sat for at least 3 years unpatched. I know damn well that it was known and being exploited before then, because I used to play jokes on my friends by getting into their supposedly protected folders. This was back in 1996.
Opaserv, among other worms, used this hole to spread through a lot of systems, but I can't find the first date any of these were noticed. So I can't prove large-scale explotation of this hole, but I do know that at least I was using it well before it was patched.
Why read the BBC anymore? (Score:5, Insightful)
Let's start a list of counterexamples (Score:5, Informative)
I'll give 2:
1) The original Melissa email virus (enabled by idiotic default settings in OE)
2) The one recently where remote web sites could hijack your address bar while redirecting you and doing nasty shit - that MS didn't patch for 6 months.
Someone might say those weren't strictly "Windows," but both OE and IE come installed by default, so it counts for me.
Others?
In related stories (Score:5, Funny)
Film at 11:00 (just after the anchorman tells us about all of the muggings he committed).
This vuln wasn't found in a patch! (Score:5, Informative)
As for real security experts, they routinely find vulnerabilities in Windows [eeye.com] beforesending a description to MS which would then, a few months later, issue a patch. Maybe.
There is a fine line between marketing and outrageous lying. I'm glad to see that MS gleefully steps over it every single time. Any other conduct would actually be unsettling. You see, we geeks revel in a binary vision of the world, and we cannot thank MS enough for consistently being a caricature of evil villain. It makes working against them so much more rewarding.
well i can tell you for a fact... (Score:5, Interesting)
A crackers mind? (Score:5, Insightful)
Any sane cracker wont report his latest exploit to bugtraq. He will continue to use it until someone else finds out about it. When it hits MS and they patch it the cracker will have found another hole to use. The most dangerous breakins is ofcourse corporate espionage and i think the ones doing those have a field day on Windows right now. They dont use common exploits that intrusion detection systems detect since they want in and out unnoticed, even if the systems in the target is unpatched.
Symantec partly agrees... (Score:5, Insightful)
"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability.
For the most part, I think this is true. Most Windows exploits DO "magically" appear a few days or weeks after a patch is available. Of course, hundreds of thousands of users never patch, or never patch in time. The "magic" lies in the symbiotic relationship between anti-virus software producers and malware creators.
None of this excuses MS from releasing Swiss cheese code, but it looks like a lot of malware gets created after a "proof of concept" has been released by "security researchers".
Counterexamples? (Score:5, Insightful)
Maybe they knew about the vulnerability for a week at that moment, maybe they were testing the patch, but the patch was not yet available, existing systems were being actively exploited, and site owners had no clue about that vulnerability because the "will be no exploit till we release this patch" policy.
I'm not sure if that is the best example, but at least is one that is enough to show how much bullshit they used to tell in public.
IIS & Internet Explorer (Score:5, Informative)
http://news.com.com/2100-1009-993276.html
(This has been confirmed over more or less independent channels. Nobody was truly independent because of the pending war on Iraq, of course.)
And, as you all know, several holes in Internet Explorer exist which are being exploited actively.
Things that need to be pointed out. (Score:5, Insightful)
Few quick observations...
1.) Microsoft end of lifed windows98 on Jan 16th of 2004. That's 6 years of supporting an operating system, folks. That's impressive. $100, and you got downloadable updates for 6 years? RHN subscriptions or enterprise linux don't touch that. So, if they don't provide security updates for it anymore, it's only because, in terms of software, it's ancient and it should be phased out. Upgrading to get security sux, but who'd buy a new computer and willingly want to use their old win98 on it (i know slashdotters can always come up with whatever reasons for anything, but in the general public).
Yes the Linux kernel, even back to 2.2, is still being updated. And yes, linux updates don't cost money. But, what if I have just downloaded kernel 2.4.11, and it works great, and oops, we found a problem in 2.4.11. The solution is to upgrade. Not patch. What if going to the new kernel breaks stuff that used to work, while in the process patching an old hole?
This is different, but similar to MS. "You have a problem with 2.2.7? You should try to upgrade to 2.2.26 or 2.4.24." "You have a problem with windows98? You should upgrade to ME or XP."
2.) The article claims windows has not had security holes that were exploited before a patch was available. I don't think this was true, but keep in mind, the VAST VAST majority of Microsoft problems are with outlook, internet explorer, office, IIS, exchange, etc. Technically, these are not windows problems. It's like saying that wu-ftpd has an exploit that gives a user root access (which is almost always true), and then blaiming that on the kernel dev team.
Or, it's like OpenBSD. "Only one remote hole in the default install, in 7 years". My ass. The default install is unusable as an OS. How do they accomplish their security claim? Partially through well-written systems. Partially through turning off every freaking useful service known to man that you would want to run on a server. And yet, people hold them up as a paragon of security. The holes in OpenBSD are from other programs, the masses cry. But no one thinks about the same thing in terms of microsoft.
3.) The time warp thing is confusing me. Everyone is saying that it's a logical fallacy that Microsoft could have released patches for security bugs that are not yet discovered? Or, what, i'm not following. The have the code, they test it, they find a bug, they try to release a patch before it gets exploited. This involves, as has been discussed, not mentioning that there is a bug, but i suppose security through obscurity is still security.
How many times have we seen a story on slashdot that exclaims how microsoft has yet another hole (!!!!1!) and then, 40 minutes after the bashers have played their part, someone comes on and says "people should have applied this patch (link) which is discussed in MS Knowledge base 7498923298232"? I see it all the time.
The average linux user is smarter than the average windows user. Therefore, we tend to keep our shit up to date. Microsoft tries to make it as easy as they can, but there's no such thing as idiot proof (i mean, in windows XP, the windows update service pops up on the first run of the OS and asks you if it can run in the background, checking for updates, and downloading / installing them automatically for you!).
I'm not trying to defend microsoft here, all I'm saying is that, before you bash them, think.
~Will
He makes a good point (Score:5, Insightful)
Although the MS guy overstates his case, it isn't always a good idea to release a patch for a system after an exploit is discovered internally that is not well known. The problem is that releasing the patch also alerts malicious individuals of the vulnerability. The real problem that must be solved first is figuring out a way to deploy a patch at a level near 100% so that releasing the patch does more good than harm.
Poor analogies (Score:5, Insightful)
Why is this phenomenon so hard to accept? When I first played around with Linux, I put up a server on multiple T1's of bandwidth to experiment. After pointing a domain to the system, it was attacked and compromised regularly, but only after a patch was released. Yes, that's right, Linux suffers the same problem. Now, I'm certainly not advocating the cessation of security patch development. The people reverse-engineering patches for exploits are small potatoes--the real threat is the person capable of ascertaining and exploiting holes on their own. However, releasing patches does facilitate the development of exploits by those who would otherwise be unable.
I hate Microsloth as much as the next geek, but the issue here is not whether patches facilitate attacks (of course they do). Exploits will occur regardless, and I for one would rather have the opportunity to pro-actively patch my systems instead of hiding in a Saddam summer home. The issue is half-assed buggy software that requires so many patches, and security holes that totally compromise systems.
Oh, and I don't buy the 'logical fallacy' BS either--I've seen it happen, so obviously their argument is invalid, or the premises false, or both.
"Even logic must give way to physics."
Put your money where your mouth is (Score:5, Funny)
OK, I'll take you up on this. Starting today, release no more patches for XP and 2003 Server (or IE or IIS or OE or MS-SQL or any other component.) We should see no new exploits from this day forward. We'll give it a year. If an explot is found, I get your house and car. If no exploits are found, you get mine. Deal?
PS: If you release another patch, I win. Any "feature upgrades" must be thoroughly examined by a 3rd party to make sure you aren't sneaking any patches in. I promise I will not actively look for exploits myself.
Re:Piffle (Score:5, Insightful)
That quote goes for Linux as well as MS. How many people do you know that are still running 2.0.34
Re:Piffle (Score:5, Funny)
Re:Piffle (Score:5, Insightful)
Re:Piffle (Score:5, Insightful)
It depends if you run updates through regression testing on a series of "standard" machines in the office and all goes well until you actually try to patch the systems. Then, some obscure third party app that you completely forgot even existed clashes with the freshly updated machine and fucks the whole thing but good because of some bizarre bug that prevents the machine from even getting to first stage boot. On 350 desktops. In the middle of the night. On the weekend.
As compared to the boxes that kernel-upgraded flawlessly even though we didn't list out half the stuff being used on said boxes.
Windows update for home use? (Usually) painless. Windows update for wide deployments. Potentially, the most painful fucking nightmare you will ever experience unless you have a completely homogenous environment.
Re:Piffle (Score:5, Informative)
Let's see...with debian stable (possibly testing, but I don't recommend with unstable)Done.
Change your second crontab to run the shell script, and done. (yes, I don't use variables in 2 line scripts)Or, if you want a daily email of any packages requiring an update....
Oh, to upgrade to the next release...
for kernels, there's make oldconfig, but I realize there can be complications and a little more technical stuff, but upgrading a debian system for me is very straight forward. Set it and forget it. (I used to do automatic updates with WindowsUpdate, but there is still a patch out there that makes my Athlon laptop freeze up randomly).
Re:OK (Score:5, Insightful)
There's still one major difference - M$ is driven by the almighty dollar, while Linux is driven by people who want to do what's right. Further, with Microsoft, you not only upgrade your software, but most likely, your EULA as well (and no telling what kind of nastiness). With Linux, you have no such worries.
Re:Piffle (Score:5, Informative)
This in my opinion is one of the greatest benefits of the open source community. You see with both Windows and OS X, if you want all the security patches you need to pay for the latest version of the software. The linux community (note I didn't say RedHat but community) will continue to support prior software so long as there are enough users out there. Just look to the linux kernel or apache for examples. Just my $0.02.
Re:Piffle (Score:5, Funny)
Those people are Amateurs.
The latest kernel is 2.0.40 [kernel.org], as everyone should know.
[/sillyness]
Re:Piffle (Score:5, Insightful)
In fact, quite the opposite is often the case if older versions remain maintained, because they are more thoroughly debugged and locked down. And they are maintained because there is no profit motive to not do so.
KFG
Re:Kernel upgrade... (Score:5, Insightful)
Here [microsoft.com] is the big example that I can think of -- SP6 broke all kinds of stuff. So much stuff that MS released SP6a shortly after. And that's hardly the only example.
Re:Piffle (Score:5, Funny)
Ridiculous. Why would they want to force upgrades to Windows ME?
Re:Piffle (Score:5, Funny)
Am I the only one who remembers a few exploits that 95/8 were immune to because of innovations in new OSs? I mean, just a little thing like MS.Blaster. Probably didn't make the news
Re:Piffle (Score:5, Informative)
Re:Piffle (Score:5, Insightful)
But, you are wrong about this. In fact, a new Kernel update to 2.2 was released. Version 2.2.26. It's been a year, but they were still released.
Here's a quote from the release: "Marc-Christian Petersen announced the release of the 2.2.26 Linux kernel. This release includes several security fixes, including a fix for the latest mremap() bug." See the Linux 2.2.26 Release Notes [kerneltrap.org]
So, really, MS is forcing users to upgrade by not releasing patches to old version.
Re:Piffle (Score:5, Informative)
Re:Piffle (Score:5, Interesting)
I am not, by the way, saying that users should nut patch their systems, only that they should not be forced to upgrade working systems under auspices of security just because MS want's more revenue. They can pull that crap on the business market and get away with it, but joe sixpack can always go try that linux thingie he heard about.
Re:Piffle (Score:5, Informative)
This isn't to say that it's reasonable to expect a commercial company to support software indefinitely, but one of the benefits of open source is that you CAN find/hire someone to support your old software and backport bugfixes as appropriate.
One of the nice things about MS is that they DO backport bugfixes to old software. Patches are almost always provided for free for all supported versions of Windows. Windows is supported for an established number of years (5, I believe) and at that point the user is reasonably expected to upgrade.
The Linux kernel has a better reputation than MS, but there are plenty of companies that have worse reputations. Even Redhat only supports its products for about 3 years before expecting an upgrade.
Re:Piffle (Score:5, Insightful)
Just how long should a company be obligated to support its older products? And why are you coming down so hard on Microsoft while ignoring the fact that this is simply standard practice, in every industry?
Re:Piffle (Score:5, Insightful)
Re:Piffle (Score:5, Informative)