[Dshield] DCOM morning after

Brian Dessent brian at dessent.net
Wed Aug 13 23:10:48 GMT 2003


Serge Vondandamo wrote:
> 
> Do you guys, think of how much does Security/patching costs in terms of
> people, time and money?
> Why can't Microsoft just make sure that they are stuffs are correctly and
> securely written and coded?
> 
> I have been patching and even using special software for massive patching
> and still patching!!!
> When can I have a rest and dedicate my time on other subject than just
> patching?

I don't think you can condemn MS for writing code with bugs.  I mean,
sure, they're no OpenBSD, but they do issue fixes for the showstoppers. 
And OBSD doesn't have nearly the breadth and depth of applications,
platforms, etc. to support that MS does.

If anything, blame MS for the fact that their updates/patches are large
and binary-only.  They often affect multiple things, and it's hard for a
sysadmin to know what exactly is included/changed with an update, or in
some cases even whether that update has been applied or is necessary. 
If these fixes were released as source patch files, it would be possible
for organizations to surgically apply critical security fixes and
recompile without all the regression testing currently necessary. 
However, this scenario would probably not result in MS being able to
earn 80% profit on Windows+Office, "open source is evil!", yadda yadda
yadda.

Brian




More information about the list mailing list