Comments on: Ballmer Confuses Linux, Unix, BSD Security http://www.emailbattles.com/2004/10/29/security_ajiijfcaji_da/ Spam, Security, Privacy, Spyware, Phishing & Viruses from the Front Lines. Wed, 17 Mar 2010 02:52:50 +0000 http://wordpress.org/?v=2.0.4 by: Chad Perrin http://www.emailbattles.com/2004/10/29/security_ajiijfcaji_da/#comment-11 Sun, 05 Feb 2006 15:15:20 +0000 http://www.emailbattles.com/2004/10/29/security_ajiijfcaji_da/#comment-11 I ran across that study when it was new, and was unimpressed. One question in particular that arose in my mind was this: How do you measure the time from "disclosure" to patch? Considering that, often enough, vulnerability discoverers are prevented from publicly disclosing what they've found until after Microsoft has released a patch, this can mean a period of months of vulnerability, potentially with exploits in the wild, before a patch is provided -- and yet, if patch turnaround time is measured from the date of public disclosure, Microsoft's record will show another zero-day lag.<br> <br> We see now another reason for Microsoft's relentless chastisement of anyone that discloses a vulnerability "too soon". This isn't about protecting customers: it's about protecting Microsoft's image.<br> <br> That completely leaves aside problems with the Forrester study, such as the fact that Forrester is a Microsoft lackey, and that the RHEL patches include support for a great many non-Linux-specific software while Microsoft patch times only include Windows-specific software, and of that only Microsoft-distributed software. I ran across that study when it was new, and was unimpressed. One question in particular that arose in my mind was this: How do you measure the time from “disclosure” to patch? Considering that, often enough, vulnerability discoverers are prevented from publicly disclosing what they’ve found until after Microsoft has released a patch, this can mean a period of months of vulnerability, potentially with exploits in the wild, before a patch is provided — and yet, if patch turnaround time is measured from the date of public disclosure, Microsoft’s record will show another zero-day lag.

We see now another reason for Microsoft’s relentless chastisement of anyone that discloses a vulnerability “too soon”. This isn’t about protecting customers: it’s about protecting Microsoft’s image.

That completely leaves aside problems with the Forrester study, such as the fact that Forrester is a Microsoft lackey, and that the RHEL patches include support for a great many non-Linux-specific software while Microsoft patch times only include Windows-specific software, and of that only Microsoft-distributed software.

]]>