HomeBlogsDavid Lane's blog

It's Patch Tuesday...Again...

Oct 13, 2010  By David Lane
 in
patch

Overnight I received an email from a friend, forwarding me an article from Redmond Magazine. The topic of the magazine was the huge Patch Tuesday dump that our friends in Redmond have sent down. There was also some discussion about the patch bundles dropped by Adobe and Oracle as well. In the words of the author of the article It's a heavy burden for just this month. The email, though was what I wanted to highlight. My friend said to me:

Here's a good ad for Linux! ("Ya load 16 patches and whaddayaget? Another day older and deeper in debt. Saint Peter dontcha take me 'cause I can't goooooo; I owe my soul to the Microsoft stooooore" - with apologies to Tennessee Ernie Ford).

I am sure there are a number of Linux people that are waking up and pointing at their Windows using friends and saying I told you so, but I can assure you, most of those people are not professional Linux administrators. In fact, most of us that use Linux for a living would say not so fast.... Over the past two weeks I have had a number of things patched on my Fedora 13 system. I say things because I really was not paying attention to exactly what was being patched, pretty much the same way I do not not really pay much attention to what Microsoft (or Oracle or Adobe) are patching this week. Now you might argue that I not only should be paying attention, but that I inspect each and every patch before I apply it for relevancy and value. Yea, OK. Show of hands, who has time for that? Yes, there are some of you out there that not only do test each and every patch, but know exactly the impact it is going to have on your systems. Further, you also know that if one of your systems is down for even a second, the amount of money lost is more than enough to pay for the test and development systems needed to test patches when they come out. But most of us just take it on faith. We have to. Linux continues to be one of the safest operating systems on the market today. This is because of the model of access (least privilege) and the intense scrutiny of the code. But even with an average of one bug per 1000 lines of code, even we have patches, security issues and exploits that we have to be ever vigilant of. It is easy for us to point our fingers and laugh, but we should not become complacent.

______________________

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

song quotation

Patrick Dirickx's picture
Submitted by Patrick Dirickx (not verified) on Fri, 10/22/2010 - 02:10.

your friend should apologize to Merle Travis, he's the songwriter !

A couple of fallacies

Cliff's picture
Submitted by Cliff (not verified) on Thu, 10/14/2010 - 05:20.

"Linux continues to be one of the safest operating systems on the market today. This is because of the model of access (least privilege) and the intense scrutiny of the code".

The 'model of access' is chunky as a bunch of bricks and leads inevitably to more access being given that is necessary. ACLs are the way to go, but who uses them? In my experience not many admins know that they exist.

As for 'intense scrutiny', I think that just because the source is open it doesn't mean that people read it. Who's got the time or inclination? I'd suspect that source code, especially driver source code, is only read by a few interested people.

Linux is probably the safest operating system mainly because it is not the big bad ogre of Microsoft and because it is a distributed target - when someone writes attack code they are trying to outwit the writer of the original code, Microsoft, without access to the code. It's no fun if someone gives you the answers to the puzzle before you even started.

Cheers,

Cliff

ACLs can just as quickly

turn_self_off's picture
Submitted by turn_self_off (not verified) on Fri, 10/15/2010 - 11:48.

ACLs can just as quickly devolve into giving to much access.

Well, there's patching, and then there's patching

antIP's picture
Submitted by antIP (not verified) on Wed, 10/13/2010 - 23:33.

I update my Linux boxes everyday. Windows receives updates once a month. How many exploits is Microsoft purposefully hiding from the public? There's patching, and then there's patching. I'd rather get patched by Linux than Microsoft...any day of the week, literally.

Agree

Anonymous's picture
Submitted by Anonymous (not verified) on Wed, 10/13/2010 - 15:26.

Last time I went to update Ubuntu there was like 100 updates in one month

No.. They were not all for the operating system or kernel.. But to the average user it's like - 'This OS has a bunch of patches.'

I am a Windows system admin right now and I always have to point out to folks that Linux has just as many patches if not more.

Good Point

Tim's picture
Submitted by Tim (not verified) on Wed, 10/13/2010 - 12:44.

There is one thing worse than sending down a slew of patches, and that would be to not provide the fixes at all. I use and support free and open source software. However, I could never understand why liking one thing should lead to hating another.

Two things are worse: not

fest3er8's picture
Submitted by fest3er8 on Wed, 10/13/2010 - 23:07.

Two things are worse: not providing updates and providing updates in such a way that you cannot determine what the patch affects. The LWN RSS feed gives me a nice heads-up as to what is being fixed in Debian. And aptitude shows me what will be updated, letting me choose which to update now, and which to leave for later.

Pointless

Anonymous's picture
Submitted by Anonymous (not verified) on Wed, 10/13/2010 - 11:12.

Waste of electrons.

RE: Pointless

Joe Flynn's picture
Submitted by Joe Flynn (not verified) on Wed, 10/13/2010 - 15:13.

Save the electrons!

White Paper
More Resources
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions