Ahhh ... just another ABM'er I see. Judge first, examine facts only if forced to do so.

So ... let's examine a couple of facts.

Red Hat 9 -- How many vulnerabilities in the first week alone? Two the first day, eight in the first week. In the first six weeks? Well, sixteen so far.

Windows Server 2003 -- None so far. Granted, it's only been 2 weeks since the "official" launch of the product, but the final (RTM) version has been available for over a month.

As for the architectural change in IIS, where the basic HTTP processing runs in kernal mode ... this is NO DIFFERENT from how Apache runs. And how many buffer overruns has Apache had in the past? Too many to count. Far too many.

The key difference that you don't seem to get is that Microsoft recognizes that there is a problem and they are working to fix it. They don't say that it'll happen overnight ... but they have put processes and procedures in place to help identify and rectify security issues. What kind of processes and procedures are in place for Linux? In fact, how could the Linux community put these kinds of processes in place? And don't spout that nonsense about "Many eyes make all bugs shallow". The recent SendMail vulnerability ... which has been in the open source code base for 10+ years ... gives lie to that.

As for Solaris ... so far this year, there have been 32 vulnerability announcements from Sun ... and 9 each for WindowsXP and Windows 2000. Then, with Sun, you always have to wonder about their remarkably consistent habit of re-releasing every vulnerability patch with no explanation of why they are doing it.

So ... before you start spouting your nonsense, please reflect on the facts of the matter. Not opinion.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/157/19766#19766