Jesper's Blog

Obligatory file photo: I am a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figu

Blogs

How many vulnerabilities are there really?

  • Comments 2
  • Likes
Just in case your are of the vulnerability counting type, you may be interested in an analysis posted by my friend Jeff Jones in his blog. Jeff has done some pretty amazingly detailed analysis of the number of vulnerabilities in each of several products.
Comments
  • You folks out there can argue over numbers all you want... as a beancounter I know how to creatively make numbers say anything... but here's the facts folks.

    SBS 2000 era:
    When I saw a bulletin that said IIS... I slammed my can of Mountain Dew on my desktop and went screaming to the server patching as fast as I could.

    SBS 2003 era:
    There was a IIS 6.0 patch out this week... and guess what.. I haven't patched my SBS box yet for that first ever IIS 6.0 patch.  I'm doing it probably as soon as I finish posting this comment.  And I'm doing it remotely... with the confidence that the system will reboot like a champ.

    That's the reality.  It's not the number of patches... it's how much as risk I feel.. how fast I felt like I had to patch my box in the 2000 era versus now.

    I have breathing room to test and then patch.. I didn't feel I had that in the 2000 era. So go ahead gentlemen and count those vulnerabilties...because on my server... I'm not slamming down those cans of Dew these days.

    http://www.microsoft.com/technet/security/bulletin/MS06-034.mspx

    ...and now if you'll excuse me.. I'm going to get my control thrill in as I remote in and patch my server....

  • Comparing the two will be difficult, as he acknowledges: opensource, with a large number of eyes looking at it, and a "release early and often" policy will *always* have more vulnerabiilties found and reported than closed source, intrinsically and by design. The problems in the source are visible to anyone, more frequent changes means more chance of exposure, and less vulnerability-checking is done for each release.

    Whether this is a very good thing or a very bad thing from a security standpoint could be debated until the cows come home, and the camps will never see eye to eye, though people will occasionally be converted one way or the other.

    It's a good thing that both options are there so that people can with full disclosure, make the choices they want.

    And it's good that people like Jeff Jones are trying to cut through the FUD on both sides and achieve full disclosure.

    I'll personally reserve judgement until he compares apples with something that's at least a fruit, monumental though that task may be.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment