Tuesday, August 01, 2006

Has Linux patching surpassed Mac and Windows?

This may seem like a shock, but is it possible that the Linux patching has surpassed the Mac and Windows operating systems? Recent vulnerabilities in Flash and Firefox that can affect multiple operating systems highlight a weakness in the Mac and Windows auto-update process because they're primarily focused on patching Apple and Microsoft specific issues.

A notification system on third party vulnerabilities would be better than nothing. Most modern Linux distributions on the other hand like Redhat, SuSE and Ubuntu have automatic update mechanisms that patch across the entire spectrum of software since Linux by its very nature is made up of a collection of applications from different sources.

Most regular users don't really think about the patching process and can't possibly keep up with all the security advisories. If we take this particular vulnerability report for a critical flaw in Macromedia Flash, I would bet that the average computer user still hasn't and won't patch this vulnerability until some mechanism forces them to update it.

The Windows and Mac update mechanism will not bother with this particular vulnerability, but Redhat has already released a patch as a part of regular Linux update process. Microsoft has released patches for Macromedia Flash in the past but only because it was the version bundled with Microsoft Internet Explorer. Windows update will not address this particular flash vulnerability which technically isn't Microsoft's fault but it's still a very serious problem for Windows users that can lead to complete system compromise.

Microsoft has made some effort to consolidate the patch process for all Microsoft products with their Microsoft Update site, but this only addresses part of the problem for most Windows users. I'm not necessarily blaming Microsoft and Apple for not dealing with vulnerabilities from third party software vendors since they can't be legally held responsible for someone else's software, but the major Linux distributions have already made the effort to consolidate the update process. At the very least, it's an opportunity for Microsoft and Apple to make life easier for their users.

Perhaps what is needed is a centralized location for approved third party vendors to provide their latest critical updates within the Windows and Mac update systems which should at the very least include common software such as Macromedia flash and maybe even Mozilla Firefox. Then let the users opt in or out of third party patches within the regular auto-update mechanism. Even a notification system on third party vulnerabilities would be better than nothing. Without this, the average Windows and Mac user will simply leave the door wide open on third party applications for hackers to exploit.

No comments: