OSS Patches Slower

SA Security Bloggers

SensePost

Haroon Meer
link

Matt Erasmus
link

Andrew Mohawk

Junaid Loonat
link

Barry Irwin
link

Tom Wells

Allen Baranov
link

Jock Forrester
link

IT Security Pubcast
link

Telspace

ISGAfrica

Ralfe Poisson

How-To's
link Linux SSH Jail with pam_chroot
link Firefox Privacy & Security Extensions

Papers
link Managing Patching, my MSc Thesis
link Risk Analysis of Monthly Patch Schedules

Tools
link Automated Vodacom SMS (VodaSMS)
link RSS 2 SMS
link DShield Hack Detection

Neologisms
link Encryption principles
link Zoolander's Law

Syndicate This Blog

SSL

Certificate fingerprints:

SHA1: 61 13 45 4B 4C F9 89 9B B7 87 C8 78 F7 38 12 CB 07 E2 60 BF
MD5 : DA 53 7B 50 E4 3A 2C 6C A1 17 53 C1 A0 5E CB 89

HTTPS version.
You can find an explanation here.

License

Original content in this work is licensed under a Creative Commons License

Disclaimer

This blog and its contents are in no way affiliated with, or endorsed by my employer.

Random Entry: Telkom and CISCO VoIP
< Vulnerability Stats | My Cousin's New Baby >

Thursday, September 22. 2005

I was pointed to the article OSS Means Slower Patches by Pieter Blauuw. I have had it open in my browser window for the last day or two trying to figure out what feels so wrong about it. Thankfully Jericho has put together a decent response here and here. The full Symantec report is mirrored at OSVDB.

Jericho takes Symantec to task on their statistics and the news article in particular for not providing enough details. In reality the article should be named something to do with Mozilla and IE vulnerabilities not OSS in general. However, they don't seem to compare the browsers on the same level, they only discuss Microsoft's vendor confirmed vulnerabilities (13) whereas the actual number of patched vulnerabilities was 19.

In addition they claim the time from vulnerability to patch has increased from 30 to 54 days. This seems to be paten rubbish. It was never at 30 days. Have a look at the Mozilla vulnerabilities page, the first critical vulnerability took 2 months to be resolved, the second took 1 month. We know that it is going to take Microsoft a minimum of 30 days to write and test a patch, but this list currently gives all vendors (including Microsoft) 60 days to patch and currently Microsoft is topping the list several times with the longest vulnerability being 116 days overdue from the 60 day window (that's 176 days).

I haven't done a particularly deep investigation, but given the lack of explanation in the article, this seems enough to counter the claims that 'OSS is general patches slower' or 'Mozilla patches their browser slower than IE'. It is true however that Mozilla has had more vulnerabilities than IE this year, six more to be precise. This is probably due to the rapid rise of Firefox, making it a more interesting target. They do however, seem to have consistently dealt with them in a timely manner.

Posted by Dominic White in Masters at 07:01 | Comments (0) | Trackbacks (0)

Last modified on 2005-09-22 07:30

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry