Patchy coverage

COMMENTARY--Yep, it's Windows vs Linux time again. as usual, the facts go out the window in a points-scoring battle that completely ignores the important issues.

At the annual Tech Ed conference in mid-August, Microsoft's chief security strategist Scott Charney said "Half of all crashes in Windows are caused not by Microsoft code, but third-party code". Why would he say that?

For about a year, Microsoft has been implementing its Trustworthy Computing initiative, and has gone to great effort to improve its practices and get better security and reliability in its products. Being Microsoft, a lot of the work has gone into new products such as Windows Server 2003 rather than fixing holes in the software everyone's using, such as Windows 2000. Spend more money, get better security.

But it's slow going. Building better software is evolutionary, as is earning the industry's trust when your reputation is as bad as Microsoft's. It doesn't help when, as you're making this announcement, a worm exploiting a vulnerability in your code--not someone else's--is spreading around the world.

A ZDNet Australia Web site reader noted, "In decent operating system design it is recognised that programs may go feral and the OS must cope with this gracefully. Any OS that crashes because of bad applications is basically badly designed."

Charney's statement also ignores the problems many developers face trying to interact with Windows when they can't access the operating system source code, and sometimes can't even get proper documentation of the application programming interfaces. Third-party developers can hardly be blamed for instability if they don't know what they're working with. Charney was, at best, being disingenuous. Dodging the blame does very little to improve your reputation.

Charney's statement moved columnist Sam Varghese at the Fairfax newspapers to decry the terrible state of IT journalism today. "One should question why such statements are repeated verbatim, without even a hint of doubt, by journalists," he wails.

Varghese also writes misty-eyed pro-Linux puff pieces in his spare time in which he freely admits "I am not a techie". Yet in a column the day before, he quotes Linux evangelist Con Zymaris as saying "open source systems have a far lower risk profile" than Windows--verbatim, without even a hint of doubt. Pot, kettle? Or is it OK to report unsubstantiated propaganda if it's propaganda you agree with?

This is a highly contentious point, and not one that lends itself to being quoted without analysis by any journalist who wants to claim a shred of credibility.

Zymaris claims keeping patches updated is far easier in Linux "due to the well thought-out and well-executed package management technologies". This is a highly contentious point, and not one that lends itself to being quoted without analysis by any journalist who wants to claim a shred of credibility.

Patch management is complicated. The Blaster worm was easily defeated if systems had been updated with a months-old patch, but a lot of systems didn't have it installed. This does not give the Linuxheads reason to be pleased with themselves.

Linux certainly beats Windows hands down in the number and frequency of patches, but this is not as good as it sounds. Every time a sysadmin needs to patch a system, particularly a business-critical server, he or she needs to be sure it isn't going to cause problems with what's already running. When new patches come out every other day, as they do with Linux, you can imagine the nightmares this could cause.

There is also a wide range of, words fail me, well thought-out patch management software available for Windows. And while Linux patches are--obviously--free, vendors like Red Hat charge fees to subscribe to their update services that help minimise dependency issues, which can be a big problem with Linux.

In an interesting approach, Sun Microsystems' Orion strategy means Sun will be sending customers quarterly patches for all its software on CD. These patches will be pre-tested for compatibility and integration issues. While this doesn't eliminate the need for emergency patches, at least it takes one big worry off admins' minds.

If it works well, expect to see Microsoft and the Linux vendors taking up the same idea--and slugging it out over which one of them thought of it first, which works better, and which has the lowest TCO.

Josh Mehlman is acting editor of Technology & Business.

Subscribe now to Australian Technology & Business magazine.

• Related stories

• Alerts

Sign up for an e-mail alert

ZDNet Australia Alerts is an e-mail alert service which provides personalised news, features and reviews to readers’ inbox on an hourly, daily and weekly basis.

Alert:

E-mail: *

Frequency: *

Hourly Daily Weekly

Add alert

Add your opinion

Add your opinion

All fields are required

Subject:
Comments:
Full name:
E-mail address:

Your e-mail will not be displayed

Posting options:

Display all details Do not display details

Security Code:

You must read and type the 6 chars within 0..9 and A..F

 

apt-get install Oh the nightm ...rob smith -- 03/09/03

apt-get install

Oh the nightmare!!!!!!

• Reply to comment
• Reply to story
• Report offensive content

I think Apple does a good job ...cashaww -- 03/09/03

I think Apple does a good job with Os X. I say only Os X because it is the only Mac I have ever owned. I also would say that Suse, my PC 'nix' does a nice job now. Early on, 5.?, I did have a problem with Patchs causing problems, but this could have been due to my newbie status.

• Reply to comment
• Reply to story
• Report offensive content

I always have serious doubts w ...Anonymous -- 03/09/03

I always have serious doubts when people compare things that - from a practical viewpoint - just cannot be compared. Patching a *nix (including the Linux variety mentioned in the article) system simply isn't equivalent to patching a Windows system, i.e. if you download a Microsoft patch you often get something in the tens of megabytes of code, which mostly works, but actually sometimes doesn't. Ever tried to do a rollback of an installed patch on Windows on a machine which actually does something? That's why most admins have a thorough testing phase of the patch on a non-production machine and image the production machine before applying the patch to be able to go back completely. If you use some of the better patching/updating mechanisms in Linux (e.g. apt-get), you install 4 or five well-defined packages at a time and can go back anytime by just downgrading the packages if it doesn't work. Still it needs a testing phase, however, I have not seen issues with Linux if I have successfully completed the testing and subsequently applied the patches on the production machine, whereas hardware differences on the Windows server seem to make a big difference whether a patch works or fries the system

• Reply to comment
• Reply to story
• Report offensive content

Credibility in a ZDNet article ...Toliman -- 05/09/03

Credibility in a ZDNet article ?

if this is the calibre of journalistic commentary on an issue like "Maintenance", that it has to turn into "Misconstrued ways to Maintain your OS" ...

it's sad that you can write so casually, venomously, ostenatiously and throw so much attention on attacking the credibility of both a MS executive (an easy target for ridicule, yet you make it seem as if it was casual naivety) and another journalist in the same incendiary sweeping remarks.

What makes this one-sided debate less than civil, apart from not having any stance in the issues, you throw away all your credibility in a last-ditch effort to laud praise upon a subscription-update model, expecting MS and Linux to fight over it as a viable solution.

as a point of discussion, it's a poor one. and you leave it so open, ignoring any mention of merits, sucesses and failures, that it is positively painful to make the effort to read the commentary and not to immediately dismiss it as a wasted effort.

Subscription updates... are not the sole domain of Sun's entrenched software product line.

Subscription models are everywhere, you should ask a fellow tech journalist about subscription models for software distribution, you seem to need to research this more, and it shows. this is casual and disingenous commentary on mainstream issues that have faced all users for the last few decades, not just in the IT industry, but in general.

the same people that have trouble changing oil in their cars, cleaning the sparkplugs and adjusting the timing of their car engines, setting the clock on the VCR or microwave oven, or updating anti-virus software, defragmenting a HDD, downloading patches, the moral is the same -- all technical devices need maintenance.

i'm used to poor commentary after reading David Coursey, another hatchet-job journalist that dodges core issues, insults others for their supposed hypocrisy, a 'laissez faire' use of propaganda to highlight an issue, then a litany of paraphrased sentences, an arsenal of critiques, the literary equivalent of a 'below-the-belt' punch, an attack on the credibility of another, and a closing statement that bears no relevance or forebearance to reality or a distant cousin to reality.

and, here i am again, reading a diatribe from another ZDNet journalist writing up something that is so blatantly poor subjective criticism, that it deserves to be given to people as an example of how not to write.

• Reply to comment
• Reply to story
• Report offensive content

If you go up to a corpse and a ...Anonymous -- 06/09/03

If you go up to a corpse and ask it "How did you die?" , typically you don't get a response. Mainly because its dead :-)

And its the same sort of thing with Operating systems too. Once the operating system has died, (ie not swapping between processes to run any more, and not accepting user input), you can't expect it to bring up a nice little dialog box , ask "shall I report my demise to home base, master", get an input from a mouse, and then open up a network connection to home base, and report why it died. Same reason as the corpse , its dead. The only way to figure out why it died is to cut up the mess that is left and figure out what want wrong.

This means that the number of crashes which microsoft hears about is underreported. Its impossible to say just how underreported it is. Anecdotal evidence says its a lot.

I've had windows XP bluescreen instantly just by plugging in a PS2 mouse. There was no chance to report this to Microsoft using the crash reporting facility. I had to reboot.

Now , on to the "50%" number itself. There is an awful lot of windows software out there. Thousands upon thousands of programs to do all sorts of things. And they only cause 50% of the errors that get back to Microsoft, then Windows itself must be causing the other 50%. Windows must be built like swiss cheese to generate as many errors as all of the programs that can run on it.

Whichever way you look at it, Its not very impressive at all. You would hope the number would be close to 99%.

• Reply to comment
• Reply to story
• Report offensive content

The difference between Linux p ...Karl O. Pinc -- 06/09/03

The difference between Linux patches and Microsoft patches is that Linux patches each target a specific program. Microsoft patches are like sausages, you don't know what's in there. Every system has only a few very vulnerable programs, usually those which connect with the Internet, plus the O/S kernel. Of the many Linux patches which come out, it is those which apply to these critical few programs which must be closely attended. The modular nature of Unix/Linux comes to the rescue. The spaghetti of intertwined connections between Microsoft's O/S and it's applications vastly increases the odds that a patch to one application will adversely affect another, which leads to "fear of patch" syndrome -- a condition affecting Microsoft admins and tech journalists but not Linux admins. After all, the competent Linux admin can always examine the changelog and even the code of his patches. While the Linux admin may not be a coding expert, he always has access to the analysis of the experts in the public forums.

Narrowly focused patches, quickly released, which can be scrutinized to any level of detail, combined with easy access to the experts who produced and reviewed the patch. What more can you ask for?

• Reply to comment
• Reply to story
• Report offensive content

I agree many are quick to shed ...Javelin -- 08/09/03

I agree many are quick to shed Linux ina better light, but here I go. In my experience, patches generally cause little harm in Linux. Just this week, however, a good friend patched his payroll server with 4 Microsoft patches. The server died. Technet suggested the error received would require a reinstall. Luckily, the Recover Console enabled us to get in and replace the DLLs the patches removed and we got it back up. To be honest, I've also had my Linux laptop completely die for no good reason (though later it was determined to be a power mgt issue). Linux has it's share of problems, but generally speaking updates aren't one of them, from my experience. The fact that Microsoft's own patches dropped this server was applauling to me.

>

• Reply to comment
• Reply to story
• Report offensive content

With regards to patching Linux ...Rodd Clarkson -- 08/09/03

With regards to patching Linux, you're right. You can make it into a horrible mess if you choose, but why would you.

With regard to patching Windows isn't even in the same ball park as Linux. Windows is little league, and a badly managed little league at that.

As someone who installs server software for customers on an ongoing basis I can't tell you how good Linux (in my case Redhat) is for patch management.

You install the software you need. I could do a standard install, but I choose to do a minimal install and then manually install the software I actually need - that way I know what is on the server. Sure, there is a learning curve, but it's not that hard

Having installed from the base release, I set up a NFS share to a server with the entire set of updates for the version of Redhat I use and I type 'rpm -Fvh *'. This goes through the packages, figures up what needs to be 'freshened', finds the most recent package (should multiple versions/architectures be able) and installs only the updates for the software I've got installed.

I don't need to know what I've got installed. I don't need to know which patch was released before with patch. Updates don't crash the system, and if the did, you can easily back down to the last version (which might have issues, but at least it works). Ever tried backing out a MS patch? I think the call it reinstalling.

These comments are not just 'verbatim quotes' without justification, they are one of the many reasons why sysadmining a Linux box is so much easier than managing it's Windows counterpart.

• Reply to comment
• Reply to story
• Report offensive content

This article seems to want the ...Anonymous -- 08/09/03

This article seems to want the windows patch system to be better than linux, and then tries to theorise why this should be so.

Bugger theory! One only has to ask the administrators that handle both types of systems, what has experience taught you about both. I am a person who does have this experience, and I can say with certainty, Linux wins hands down. Admittedly, I only maintain Debian Linux systems, so I can't speak for other distos like Red Hat/SuSE/Mandrake/etc.

Doing an update on Debian is completely verbose on exactly what it is doing, has worked for me _every_ single time without breaking a thing, and I _know_ that I can revert the patch to the previous version, unlike my experience with Microsoft where some patches will not allow themselves to be removed.

AND Microsoft recommend reapplying all patches and service packs after any software install. An obvious trademark of a well designed system.

To Microsoft's benefit, they have made patching a windows system very easy via the web, probably for the average Joe. Now, for the system administrators, they need to work on it further so it's more flexible, reliable, and informative.

• Reply to comment
• Reply to story
• Report offensive content

Linux updates... The author ob ...Scott Marlowe -- 09/09/03

Linux updates...

The author obviously has ZERO actual experiance in patching Linux systems. I've adminned both NT/2k boxes and Linux boxes, and there's a world of difference between them.

First off, while there may be a couple of security updates a week for a typical linux distro, most of these are for local root exploits of packages, most of which aren't installed on a typical server. I.e. cdrecord, mozilla, etc...

Secondly, it is very uncommon to have a patch break a working Linux system. Almost every time I've seen a patch affect a working linux box, it has been commercial software that comes in something other than RPM that breaks. I.e. if the distributer of said software made an RPM package of it, the RPM manager would have complained about broken dependencies and the issue would not have occured.

Thirdly, and most importantly, when I have had any issues with patchs in Linux, they have always been fixable within minutes by simply backing out the patch. It is not uncommon for a Windows patch to be "non-backoutable". directx, IE updates, etc... Many of these updates, once performed, are virtually impossible to actually backout, and even if they say they backed out, they leave enough cruft in the registry to cause problems.

While the author has one or two valid, if weak points, he would be better served by spending some actual, factual TIME with a linux box and getting to know it before he writes more about the state of package management in Linux land.

• Reply to comment
• Reply to story
• Report offensive content

Windows has good patch managem ...Scott Marlowe -- 09/09/03

Windows has good patch management???

In the article, the author claims:

There is also a wide range of, words fail me, well thought-out patch management software available for Windows.

Why is something as important as package management NOT being handled properly by Microsoft. It's their OS, why isn't hfnetchk a standard part of Windows 2.003K?

The package management in Linux systems involves complex things like dependency checking, versioning, and md5 sums of all installed files.

Windows Update uses the registry to store a key that says "yep, the file is installed" and that's the end of it. What if the file got corrupted, your machine got rooted, or you have the wrong patch installed? No way to really tell in MS land, as they don't store md5 sigs in a local database to compare to the files on the hard drive.

Again, this author could do with more tech savvy and less vitriole and verbiage. It's nice that you've got people with good writing style here on ZDNet, now if you can just find some with tech savvy you'll be set, huh?

• Reply to comment
• Reply to story
• Report offensive content

An OS should be able to handle ...Anonymous -- 09/09/03

An OS should be able to handle ANYTHING which a user program throws at it, and the OS itself should be 100% RELIABLE.

Charney's attempt to blame 3rd party software for half of the crashes reflects the un-modular, unreliable spaghetti which these MS 'Server' products have become, both via incompetence and via intentional misdesign (for example, Internet Explorer was made into a mandatory 'operating system component' to support a line of legal arguement). The OS has bloated into an maintainenance mess, prone to crash when using either 3rd party ("half") or Microsoft (the other half) software products.

• Reply to comment
• Reply to story
• Report offensive content

Linux is more transparent and ...Roland Smith -- 09/09/03

Linux is more transparent and easier

To be fair to Microsoft, it is very easy for an error in a 3rd party driver to hose the complete OS, because it's running in kernel mode.

But patch management in Linux is IMHO much easier and transparent. At least you can precisely see _what_ is being installed, package by package. And you can easily rollback if you have to.

Although a program upgrade in Linux may fsck that programs' config files, at least it won't take the system down with it.

With Linux It is also much easier to check if you _need_ a specific patch. If there has been a vulnerability detected in a subsystem you aren't using, you don't need to patch.

Then there is the difference in architecture. There seems to be a tendency in Windows to push things into kernel space for performance reasons. Linux tries to keep as much as possible out of kernel space for robustness.

• Reply to comment
• Reply to story
• Report offensive content

More critiqueing... QUOTE: Pat ...Scott Marlowe -- 09/09/03

More critiqueing...

QUOTE:
Patch management is complicated. The Blaster worm was easily defeated if systems had been updated with a months-old patch, but a lot of systems didn't have it installed. This does not give the Linuxheads reason to be pleased with themselves.
UNQUOTE

Two observations here: First is that many Microsoft "patches" don't fix what they purport to fix, leaving systems vulnerable that you thought were patched. This happened in Nimda/CodeRed a year ago, and it's happening right now. It's a part of why the Blaster worm got loose, it too was "semi-patched" by MS.

Over the course of this summer, I've seen at least three patches from MS that didn't actually patch the vulnerability, just a small subset of it (i.e. they put a filter in front of the vulnerability that could be bypassed with little effort by a hacker.)

Check out ntbugtraq archives for proof, but here's part of a message that went by JUST TODAY showing that this is how a MS patch is behaving:

QUOTE:
From: GreyMagic Software
>The patch for Drew's object data=funky.hta doesn't work:

This is the exact same issue as http://greymagic.com/adv/gm001-ie/, which
explains the problem in detail. Microsoft again patches the object element
in HTML, but it doesn't patch the dynamic version of that same element.

>1. Disable Active Scripting

This actually means that no scripting is needed at all in order to exploit
this amazingly critical vulnerability:

UNQUOTE

So you can't claim that MS's patching is equivalent to Open Source patching, where the job just gets done.

My second point on this is that the author insists on insulting linux users by calling them "linuxheads" and pointing out how they have no right to brag. We Linux Enthusiasts / Fans / Users do have every right to brag, our patches WORK.

Next, the author claims that Linux has LOTS more patches than Windows:

QUOTE:
Linux certainly beats Windows hands down in the number and frequency of patches, but this is not as good as it sounds.
UNQUOTE:

This is simply not true. Since RedHat 7.2 came out, around 2001-09-01 or so, there have been exactly 39 security patches. That's approximately 2 years, or 24 months. That's 1.6 security patches a month. MS averages something like 30 a year, which tend to affect all flavors (i.e. outlook, IE, common services)

QUOTE:
Every time a sysadmin needs to patch a system, particularly a business-critical server, he or she needs to be sure it isn't going to cause problems with what's already running. When new patches come out every other day, as they do with Linux, you can imagine the nightmares this could cause.
UNQUOTE:

Classic FUD. note the author isn't saying this actually causes problems, just that it COULD cause problems. The theory and reality are quite different here. You can apply all the security patches on your pre-production servers and see if they work, then apply them on your main servers. Total effort required? 'rpm -Uvh *.rpm' boy, that's a lot of work, huh?

There are tons more errors in this article, but if ZDNET doesn't care, why should I, eh?

• Reply to comment
• Reply to story
• Report offensive content

When reading the article " ...Denney Abraham -- 05/10/03

When reading the article "Patchy coverage" I got the impression that Mr. Mehlman gets really annoyed with certain statments in the article written by "columnist Sam Varghese at the Fairfax newspapers". And he responds in kind! Tsk, tsk, Mr. Mehlman! Where is your journalistic objectivity? When a columnist makes a comment you do not like, you are not supposed to villify and insult that person and pooh-pooh what they wrote. Defend yourself like a gentleman! Present valid points and arguments, and move on. After all, Mr. Sam Varghese did not go around insulting you and your writings. Shame on You!!

Then comes the issue of Linux vs. Windows. It is interesting that you chose to compare Windows and Linux on a matter you clearly do not understand - patches. It is important to understand your subject matter thouroughly before critiquing it. C'mon, Mr. Mehlman, you know better than to print out an article containing 'facts' which when thought through diligently, will fall apart. Case in point: "When new patches come out every other day, as they do with Linux, you can imagine the nightmares this could cause." Any journalist who did some reasearch (talked to a real Linux SysAdmin) would never have made that statement because he would have understood the point that Linux does not have patches every other day! Several third party applications which run on Linux might have patches coming out regularly, but those patches do not need to be put into the system; those patches have nothing whatsoever to do with Linux itself. As I stated already, Mr.Mehlman, you clearly did not do your homework.

I hope your future articles contain facts which are more researched and valid.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Login

E-mail Password (forgot?)

Login Remember

Sign up and win a iPhone3GS!

Reader Services

Popular Topics

Essentials