I disagree with this article. For those open-source operating systems where security and correctness is a key priority, patching vulnerabilities happens extremely quickly by a small group of extremely dedicated individuals. Have you ever heard of an arcane group of BSD-based operating systems known as FreeBSD and OpenBSD? There's a reason why they're run in some of the largest environments on the Internet. They continue to patch every known vulnerability typically within a day, and sometimes within a few hours. It's top priority to them. They don't get money from packaging and distributing their OS in the same was as a Linux distributor like SuSE or Red Hat might get either. They make their money off t-shirts, bumper stickers and donations. And they're faster than at fixing vulnerabilities than anyone else. This case of speed may not be seen in the Linux world, but then security is not the #1 priority for every open-source contributor either. That's why there are different distributions, different options, different operating systems and different flavors of Unix. Pick which one suits you best.

Mac OS X is a unique case; here is a legacy operating system that continues to reinvent itself by migrating to a BSD-based kernel -- yet with a mature, high gloss user interface that is somehow years ahead of Ximian and KDE from the perspective of the average computer user. Yes they charge for their OS upgrades and they absolutely should. Have you seen how much additional functionality and new applications they bundle with every new release? They might as well throw in the security fixes too -- but always make them available for older version of the OS as well. Then the average user can make a choice: upgrade to get the new applications, functionality and security patches, or save some money, stick with what you have and learn how to patch your system, just like everyone else does.

I also disagree with the statement about releasing vulnerabilities in the wild. You suggest that either the vendor is notified and takes immediate steps to fix the problem, or else some rogue cracker releases a vulnerability into the wild without contacting them first. What about the case of a large vendor who receives vuln reports all the time, and simply sits on them? Microsoft! Case in point: all the unpatched Internet Explorer vulnerabilities, some of which have been published and exist for more than six months! Yes, MS is slowly getting better but it takes a long time to turn around the Titanic when they see an iceburg up ahead. A small team working out of their basements, ala OpenBSD, is much more nimble than their arch-nemis SCO-supporting Microsoft. I'm not saying it's a sinking ship just yet...

If you want fast vulnerability patching go with OpenBSD and FreeBSD.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/200/23916#23916