|
On CERT's 2005 Software Vulnerabilities List |
|
Saturday, December 31 2005 @ 03:48 PM EST
|
CERT has released its list of software vulnerabilities for 2005. Brian Krebs on his blog, Security Fix, reports: Security researchers uncovered a record 5,198 vulnerabilities in software products this year, nearly 38 percent more than the number of flaws found in 2004, according to statistics published by US-CERT, a cyber security information-sharing collaboration between the Department of Homeland Security and the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.
Well, yes and no. Let me explain what I see.
Already some are trying to spin the list to try to imply that Microsoft has so many vulnerabilities, 812, because of its popularity. The way CERT has published the list, however, makes any comparison questionable, at least using this list as currently organized. First, this is a list of vulnerability reports, and it lists them in the following categories: Microsoft Operating System, and Multiple Operating System, and Unix/Linux Operating System. The last category means that AIX and Apple and FreeBSD and Solaris and Linux and ... gulp, ironically enough ... SCO OpenServer and UnixWare vulnerabilities ... are all lumped together, for a total of 2328, making a direct comparison between Microsoft and anyone else nearly impossible. Second, the Unix/Linux list duplicates items, counting a vulnerability more than once in the list. For an example, note that it lists Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated). However, the same vulnerability is listed, under the same title, four times. That's because it was reported in the week of August 10-15, again in the week of August 17-23, in September 6-13, and the week of November 9-16. Worse, for any comparison purposes, the same vulnerability is also reported as Fetchmail POP3 Client Buffer Overflow, so in reality one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.
All the links take you to the same description of the same vulnerability, CVE-2005-2335, which tells you that there are no known exploits for this vulnerability. So another issue with the list is that there is no distinction made between truly widespread issues that caused real-life damage and vulnerabilities someone noticed but no one ever exploited. There is a difference. By the way, there's a Microsoft security issue today, according to Government Computer News, whereby someone can create an infected WMF file and disguise it as a JPEG : Simply opening the wrong Web page or receiving an e-mail with an errant image file could be enough to cripple your computer, thanks to a newly discovered vulnerability in the Microsoft Windows operating systems.
“We believe that this vulnerability is extremely serious,” e-mailed Scott Fendley, today’s Handler on Duty for the SANS Institute’s Internet Storm Center. “It is extremely hard to protect against this vulnerability. It is not as easy of filtering files of a particular extension or setting a group policy.”
Microsoft Corp., of Redmond, Wash., has warned that the vulnerability is already being exploited by spyware, adware and viruses written to alter the behavior of users’ computers. The company is working on a patch, but has not said when it will be ready I'm sure you can see that the seriousness of such a vulnerability outweighs the POP3 Fetchmail issue. When was the last time you read a headline like this one about GNU/Linux or Solaris or AIX or Apple? To be fair, the Windows list isn't really an accurate list of Windows vulnerabilities either, not the way I would think of it. It also has duplicative items, such as for Microsoft ASP.NET Canonicalization (Updated). And it includes Apple, F-Secure, IBM WebSphere, McAfee and other third-party vendor issues. If it can happen to you if you use Windows and the third party software, it's on the list, I guess. So, personally, I don't see 812 as being a fair number, unless you qualify what the number means. CERT does qualify this way: Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, so the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information. So when you read about the list, keep in mind that no straight comparisons are actually possible, unless someone wishes to take the time to do what I've done here through the entire list. Hmm. Any takers?
|
|
Authored by: Peter H. Salus on Saturday, December 31 2005 @ 03:58 PM EST |
PJ,
We all love you. It's New Year's (almost)
eve. Go off and have a glass of champagne on
us.
Happy New Year,
PJ, MathFox, everyone,
P
---
Peter H. Salus[ Reply to This | # ]
|
- On CERT's 2005 Software Vulnerabilities List - Authored by: PJ on Saturday, December 31 2005 @ 04:10 PM EST
- On CERT's 2005 Software Vulnerabilities List - Authored by: dahnielson on Saturday, December 31 2005 @ 04:38 PM EST
- On CERT's 2005 Software Vulnerabilities List - Authored by: James on Saturday, December 31 2005 @ 04:55 PM EST
- PJ's Cold - Authored by: Weeble on Saturday, December 31 2005 @ 05:11 PM EST
- New Year an hour off - Authored by: jmc on Saturday, December 31 2005 @ 06:02 PM EST
- On CERT's 2005 Software Vulnerabilities List - Authored by: Anonymous on Saturday, December 31 2005 @ 07:24 PM EST
- On CERT's 2005 Software Vulnerabilities List - Authored by: GrueMaster on Saturday, December 31 2005 @ 07:25 PM EST
- On CERT's 2005 Software Vulnerabilities List - Authored by: lifewish on Saturday, December 31 2005 @ 07:49 PM EST
- On CERT's 2005 Software Vulnerabilities List - Authored by: cventers on Saturday, December 31 2005 @ 09:40 PM EST
- Awww, That's so thoughtfull! - Authored by: Anonymous on Sunday, January 01 2006 @ 03:53 AM EST
- On CERT's 2005 Software Vulnerabilities List - Authored by: auric on Monday, January 02 2006 @ 03:26 AM EST
- A glass of champagne? - Authored by: Chris Lingard on Saturday, December 31 2005 @ 04:26 PM EST
- On CERT's 2005 Software Vulnerabilities List - Authored by: Anonymous on Saturday, December 31 2005 @ 08:31 PM EST
- Some Thoughts On New Year's Eve - Authored by: Steve Martin on Saturday, December 31 2005 @ 11:28 PM EST
- On CERT's 2005 Software Vulnerabilities List - Authored by: Bas Burger on Saturday, December 31 2005 @ 11:47 PM EST
- Exploits and popularity - Authored by: CustomDesigned on Sunday, January 01 2006 @ 10:43 AM EST
- Secunia a much better source - Authored by: Anonymous on Sunday, January 01 2006 @ 06:21 PM EST
|
Authored by: Chris Lingard on Saturday, December 31 2005 @ 03:59 PM EST |
Post in HTML, and put in those links, if you can.
[ Reply to This | # ]
|
- Happy New Years to PJ here please - Authored by: PSaltyDS on Saturday, December 31 2005 @ 05:02 PM EST
- Massachusetts, M$ XML, budgets, incompatibility and one laptop per child. - Authored by: Anonymous on Saturday, December 31 2005 @ 07:05 PM EST
- Happy new year, everyone! - Authored by: tiger99 on Saturday, December 31 2005 @ 07:20 PM EST
- C & C - Authored by: Tufty on Saturday, December 31 2005 @ 07:30 PM EST
- Xinha Here! - Authored by: Nivuahc on Saturday, December 31 2005 @ 11:18 PM EST
- Off topic here please - Authored by: tyche on Sunday, January 01 2006 @ 01:59 AM EST
- Certain comments not linking properly - Authored by: cmc on Sunday, January 01 2006 @ 02:22 AM EST
- Anyone really think SCO could have done this? - Authored by: Anonymous on Sunday, January 01 2006 @ 07:45 AM EST
- Following Microsoft's Money - Authored by: Anonymous on Monday, January 02 2006 @ 10:00 AM EST
- Off topic here please - Authored by: LaurenceTux on Thursday, January 05 2006 @ 12:56 AM EST
|
Authored by: Chris Lingard on Saturday, December 31 2005 @ 04:01 PM EST |
Just in case, though I doubt it.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 31 2005 @ 04:15 PM EST |
To get an idea of the 2004 vulnerablity impact, there's the
Scanit browser
security summary. It will be interesting to see what they come up with for
2005.
Karl O. Pinc <kop@meme.com>
P.S. Those interested in
stories of how visiting a web page can ruin your computer may want to read: What Part of Virus and Spyware
Didn’t You Understand? [ Reply to This | # ]
|
|
Authored by: ruurd on Saturday, December 31 2005 @ 04:30 PM EST |
Regarding the spin the ZDNet article tries to give on it,
there's Lies, Vulnerability Lists and ZDNet articles :-)
Tallying like this is inane, thinking that the tallies
actually MEAN something is insane.
People have been
going over this again and again and again.
---
ruurd[ Reply to This | # ]
|
- Vulnerabilities List - Authored by: Anonymous on Saturday, December 31 2005 @ 06:15 PM EST
- The Tally - Authored by: pogson on Saturday, December 31 2005 @ 07:31 PM EST
- ssh attacks. - Authored by: Anonymous on Saturday, December 31 2005 @ 10:13 PM EST
- The Tally - Authored by: Anonymous on Saturday, December 31 2005 @ 10:35 PM EST
|
Authored by: _Arthur on Saturday, December 31 2005 @ 05:04 PM EST |
SANS: The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~
The Experts Consensus
The Twenty Most
Critical Internet
Security Vulnerabilities
#1: Windows
Services
#2: Internet Explorer
#3: Windows Libraries
#4: Microsoft
Office and Outlook Express
...
#16: UNIX Configurations
Weaknesses
#17: Mac OS X
Not a single vulnerability has
ever been successfully exploited so far on Mac
OS X, which didn't prevent SANS
to list the whole OS as a "Top 20
Vulnerability"
_Arthur
[ Reply to This | # ]
|
|
Authored by: Stumbles on Saturday, December 31 2005 @ 05:55 PM EST |
So just what exactly is US-CERT trying to accomplish with such a
pitfully hosed up report? From the looks and sound of it, it's
pretty much worthless.
---
You can tuna piano but you can't tune a fish.[ Reply to This | # ]
|
|
Authored by: kawabago on Saturday, December 31 2005 @ 05:58 PM EST |
We must accept that software will always have vulnerabilities. The best way to
defend against this reality is to nurture a diverse eco-system of software so
that no one implimentation of anything is used exclusively everywhere.
Microsoft's monopoly is like a ripe fruit ready for every nefarious hacker to
exploit. One little piece of code can literally infect 90% of the computers on
earth. That is why we need much more diversity in operating systems, so
malicious code will only infect a small percentage of machines. Virus writers
would find it much less rewarding.
I love linux, but I will love the next OS that comes along even more because it
will bring even more diversity and make it that much harder for malicious coders
to succeed. The only down side to that is drivers. At some point I think we'll
need a standard driver interface across all platforms if manufacturers are to
have any hope of supporting all the different OS's, but that can and I'm sure
will be done at some point.
---
TTFN[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 31 2005 @ 06:34 PM EST |
Happy New Year!
/IMANAL
[ Reply to This | # ]
|
|
Authored by: chris_bloke on Saturday, December 31 2005 @ 06:57 PM EST |
PJ wrote:
So another
issue with the list is that there is no distinction made
between
truly widespread issues that caused real-life
damage and
vulnerabilities someone noticed but no one ever
exploited. There is
a difference.
Sadly I
have to disagree, the key word about exploits in
the entry about that
vulnerability is
known, and that just means that the good
guys
aren't
aware of an exploit for it, it doesn't mean that
the Black
Hats haven't already got one just and either not published
it or it hasn't been discovered after poorly hiding it
during an
attack.
I don't disagree that there is a big
difference in the
level of risk between a fetchmail
vulnerability and an Internet Explorer
vulnerability, but the
difference between a vulnerability with no exploit code
and one
with may just be a few minutes or hours of coding.
Remember the old quote about a password guessing attack
against
Windoze:
"That
vulnerability is completely theoretical." --
Microsoft
Which, of course, was like a red
rag to a bull, so
l0phtcrack appeared, with the slogan:
L0pht, Making the theoretical practical
since 1992.
Chris
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 31 2005 @ 07:03 PM EST |
Happy New Year everybody. xxxxxxxxxxxxxx [ Reply to This | # ]
|
|
Authored by: SilverWave on Saturday, December 31 2005 @ 09:08 PM EST |
Just finished "First Footing" (North east of England 3.5C)
It's 2:04 and We are calling it a night.
Happy New Year, PJ! :-)
SilverWave's 1st post of 2006
---
"They [each] put in one hour of work,
but because they share the end results
they get nine hours... for free"
Firstmonday 98 interview with Linus Torvalds[ Reply to This | # ]
|
|
Authored by: cknadle on Sunday, January 01 2006 @ 12:45 AM EST |
The issue of security vulnerability reports of software has always been
controversial.
Some vendors ask that vulnerability reports not be released
until a patch can be programmed, so sometimes reports of known vulnerabilities
are artificially "late". Vulnerabilities of software common to various Linux
distributions are often counted numerous times -- once per distribution.
Arguments about the security of various OS's abound, sometimes trying to compare
bottom line numbers of the number of reported vulnerabilities -- sometimes
trying to compare the vulnerability severity -- sometimes looking at patch
turnaround time -- etc. I don't even know how it would be possible to prove
that there was a clear winner.
Similarly the benchmark comparisons between
various computer CPUs has always been controversial, and now most benchmarks
have to incorporate typically used programs because otherwise benchmarks are too
subjective... and even then the results aren't totally clear.
Even going on
reported break-ins is difficult, because then there are arguments about how many
weren't reported.
I have my personal beliefs as to what is more secure
[starts with an 'L'], but it's too difficult to try to back that up with any
kind of provable or repeatable data, and there are always niche situations where
one OS is better suited than another... so I'll just leave it at that.
Happy
new year, all.
-- Chris [ Reply to This | # ]
|
|
Authored by: webster on Sunday, January 01 2006 @ 01:17 AM EST |
...to PJ and all on Groklaw. I spoke to my brother and 3 cousins from
Katrinaland, MS. It was quite a year for them. Half of them stay in a FEMA
trailor in the driveway. But they are still there and all working! Others have
been driven from New Orleans but have returned. Some could not. Let's hope we
don't have another year like the last for another 30 years.
---
webster
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, January 01 2006 @ 04:15 AM EST |
Hey, they got their list out a bit early... This one must not have
even
been on it... how many times would it have been counted! We will
have
to wait and see as SANS has just put it back up to YELLOW again!
http://isc.sans.org/
They were at
Yellow earlier this week, then to green, now backup to
Yellow - it seems that
they are saying that if you run a Windows Box
that your only option is to RUN
AWAY and leave the machine off!
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, January 01 2006 @ 04:17 AM EST |
``... so in reality one vulnerability is listed 5 times,
making the total of 2328 meaningless unless you carefully comb through it to
weed out duplications.''
I (and I'd guess most readers)
pretty much assumed that a mistake such as that was behind these inflated
numbers.
Thanks for taking the time to confirm that, PJ. Now I really do
hope that you took the time to enjoy the coming of the new year doing something
besides debunking someone else's faulty statistics. (Lest anyone think I
don't have a life, let me point out that the get-together was a rousing
success, the guests have all left, and I'm only posting after finishing the
cleaning up. Well most of it, anyway.)
Happy New Year all!
[ Reply to This | # ]
|
|
Authored by: Qrczak on Sunday, January 01 2006 @ 07:19 AM EST |
Vulnerabilities with titles mentioning "buffer overflow" or
"format string" are caused by overusing unsafe low-level languages
like C and C++.[ Reply to This | # ]
|
|
Authored by: Winter on Sunday, January 01 2006 @ 07:41 AM EST |
Meaningful statistics on brower security are possible. This
study shows
that in 2004 fully patched browsers were vulnerable for the following fraction
of the year:
- IE 98% (359 days, ie, 7 days
safe)
- Mozilla 15% (56 days)
- Opera 17% (65
days)
That is, only during 7 days in 2004 was a fully
patched IE actually safe to use.
Rob --- Revenge, Justice,
Security, and Revenge, chose any two. [ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, January 01 2006 @ 10:33 AM EST |
Hippo Gnu Ear to all Groklawiens and of course to PJ :)
Enjoy the quiet while it lasts
Newbee[ Reply to This | # ]
|
|
Authored by: brc on Tuesday, January 03 2006 @ 12:21 PM EST |
Comparing how many patches or even how fast they are fixed, for any given OS,
tends to be a useless comparison. Every OS will have them occasionally, and any
vendor can inevitably twist the numbers to say what they want. And it only
takes one to hurt you.
The true long term difference is whether the flaw
is a design flaw or a coding bug, and if exploited, how damaging it is. A
coding bug like a buffer overflow or missed exception can be fixed, because it
is an unintended result of how the program functions. In contrast, a design
flaw cannot necessarily be fixed, because the program was intentionally coded
this way, and fixing it means breaking the intended functionality of the
program.
With a design flaw, the product was intentionally written to do
something that turns out to be a bad idea. It's things that may be trumpeted as
great features of a product, that people may use for valid business reasons, but
that because they were not thought out with security in mind, are easily
exploited by attackers. Because they are intentional functionality, you can't
create a fix that prevents the attacks while leaving the product intact and
working as it did before.
Microsoft's biggest problems are not the
unintentional bugs (which ever OS has) - they are the design flaws that are all
so common in MS software. Some of the more common examples of this
are:
Windows OS
Every user is, by default,
superuser/administrator/root on Windows. You can change this if you know how,
but most people don't bother, or even know it's an issue. As a result, users
can accidentally destroy their OS, and any program they run has the potential to
do so, either by accident or design (i.e. viruses and trojans). The OS can't
really protect itself from the average user (or processes the user runs -
intentionally or otherwise). And if you do know enough to create non-admin
users, there are lots of programs out there that break when you do so, because
they expect the default wide open access.
Consider a flaw in a program
like IIS or Exchange - The whole point of them is to expose them to the
Internet. If there is a bug in these programs (i.e. an unintentional,
fixable issue), the fact that they cannot be jailed by the OS means that if an
attacker exploits a bug and gets in, the entire machine is suspect (i.e. if IIS
or Exchange is compromised, so is the OS). Contrast that to a typical unix web
or mail server, where they often can be put in a chroot jail (completely
isolated from the majority of the OS), or at least run as a user with limited
access. By design, MS has a very thin shell that, once broken, leaves the
entire OS wide open. Unix variants, including Linux and MacOS, have many layers
of protection that Windows simply lacks.
One only has to point to Code
Red and it's many variants to prove this point.
MS Office vs Open
Office.org (for that matter, most non-ms office programs)
MS Word/Excel
contains macros that allow you to do just about anything in the OS -
including writing to system files, etc. And it allows this wide open access by
default. Open Office and others don't allow this, so you don't get macro
viruses. It used to be that we had things like boot sector viruses or exe
infectors, and these were easy to catch and get rid of. They took a certain
level of skill to write (typically assembly or c), and were very sensative to OS
changes, so there were relatively few of them. Now, we mave thousands of
viruses, they are easy to write, and people readily accept them into their
system (via social engineering - viruses can say "here's that doc I promised
you", and too many people will open it to see what it was they "forgot they
asked for").
Microsoft can't truly fix this issue without completely
breaking MS Office. Add to that the fact that MS Office (which because all
users are superuser by default) has full access to the entire OS, and you're in
a lot of trouble. Contrast that to, say, Linux: By default anyone with a lick
of sense does not run normal user processes like word processing as root. If
you run MS Office on Linux (say, in crossover office/wine), and you get
infected, the WORSE that it can typically do is destroy your home
directory. It can't infect or otherwise corrupt your entire OS. Again, this is
a difference in design decisions made by MS vs
others.
Outlook
MS Outlook, by default, will run
scripts received in email from untrusted sources. Simply by opening a message,
you can become infected. You don't even have to save and run an attachment.
There is no "fix" that doesn't break intended functionality of the product.
Luckily most people can turn this off, since it is a fairly unused feature, but
many don't even know to turn it off. MS may have turned this off by default in
one of their updates, but the fact that it's there means some people will want
to turn it on to use it, and will in turn be vulnerable. Best to completely
remove it, or at least make it a module that is not installed by default. Note
that if a system is compromised, a virus/trojan can do anything,
including turning this functionality back on if it's there (since by default all
users processes are running as superuser).
Internet
Explorer
1. Active X
MS created Active X without any competent
consideration for security. An Active X widget is pure x86 code, can't be
sandboxed, can't be controlled. It can do anything down to rewriting/destroying
your cmos, and there's no way to secure it. MS loudly trumpeted the fact that
active x widgets can be signed, so you know who they came from. But... most
people don't pay attention to that until after damage is done, at which point
you have potentially lost what is important (i.e. it could destroy or infect
files, wipe your hard disk, irreparably harm your hardware by wiping out cmos
flash memory, install spyware, send your sensative files back to the attacker,
and erase all evidence of itself, including the signature, or even put in a
false signature to fool you.) So, signed active x widgets don't really protect
most users. Plus, if the active x widget cleans up evidence of itself, you may
not remember or be able to go back and find it again to find the signature. On
top of all this, keep in mind that a reputable certificate authority
accidentally granted a 100% genuine Microsoft certificate to someone that wasn't
Microsoft.
Contast this to things like java applets and javascript/ajax,
which runs in a sandbox, doesn't have the level of access to your local system
as Active X, and can only talk back to the server it came from. Plus, these are
cross platform technologies.
2. Integration into the OS
Internet
Explorer is tightly integrated into the OS, so you can't easily limit it's
access to the OS, because of this tight coupling. As a result, any bugs in the
code have much more access to the OS, so can compromise the OS much more
thoroughly. If instead, it was run purely as a user process, and users were not
full admins by default, the amount of damage it could do would be far less. Add
that to active X, and you have a real concern.
Some people will say "I'm
safe, because I only visit reputable web sites". That is no longer a valid
defense - attackers will compromise reputable companies web sites - even some
banks have been hit - and install stealth code/active x objects, etc, so that
when you visit the reputable site, they hit you with their virus/trojan.
"MS Market share is why it's products are attacked so much more
often"
Some people will say that MS products are attacked so often
because they are so widespread - that if Linux were 90% of the market, it would
be targeted more often. This is probably true that Linux would be targeted
more, but it's clear from the above that even if that ever happened, Linux/Unix
variants would be less vulnerable to attacks, and successful attacks would
typically have less impact. A perfect example of this is Apache and IIS -
Apache (running on linux) is far and away the most common web server on the
Internet, and web servers are probably the most common type of service on the
Internet (with the possible exception of email servers). Despite this, IIS
servers are attacked, because they are so much easier to compromise, and once
compromised, the impact is so much greater - you have the entire OS with IIS, vs
possibly just taking control of a web server and defacing it with apache. Note
that with apache, though, you can deface it, but can't typically truly take it
over, since config files, executables, and often the html content are read-only
even to the apache server process itself (again, OS design decisions play a part
here), whereas with IIS, you own the entire machine, so can change IIS's
configs, launch further attacks from within the firewall (from the web
server that was just taken over), etc.
Internet
Zombies
Given the above examples, it's clear how easily a Windows box
can be compromised. We see the results most clearly in the case of Internet
Zombies - Spam makes up well over half of all email on the Internet these days,
and is probably mostly sent from Internet Zombies - Windows boxes that have been
compromised and taken over to send out forged email or perform other types of
attacks. I've never seen a zombie that isn't a windows PC, which should tell
you something by itself. And attackers have created massive armies of
compromised zombie machines to launch large scale attacks, without the owners of
the physical hardware even knowing, in most cases, that they no longer control
their own machines.
When you look at the design decisions made in
creating Windows, the lack of user vs admin restrictions, the lack of being able
to jail processes, etc, you see why it's so easy and attractive to attack
windows machines to turn them into zombies. You simply can't do the same thing
to a *nix box - there are too many layers of protection to allow something like
that to happen as easily and as widespread as it does on
Windows.
One last point:
Microsofts PR engine may
claim, quite insistently, that security is important, and touts all kinds of
security initiatives. However, you only have to look at the design decisions MS
makes (the above being but a few), and it's clear that all those announcements
are simply smoke and mirrors, and that the true problems are NOT being solved.
There is simply no technical way to solve the problems while at the same time
not completely breaking backward compatibility. [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, January 05 2006 @ 12:00 AM EST |
Check out this Slashdot discussion on this topic. One of the /.ers piped the
results through grep and cat to eliminate duplicates. The result is a much,
much closer similarity in reported vulnerability instances. And of course,
there is the issue as to which of the listed OSes had quicker fix time. There
is no way that MS can fix holes as quickly as the FOSS community.
Sla
shdot discussion[ Reply to This | # ]
|
|
|
|
|