[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
- To: mattmurphy@kc.rr.com (Matthew Murphy)
- Subject: Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
- From: Darren Reed <avalon@caligula.anu.edu.au>
- Date: Mon, 3 Nov 2003 14:53:40 +1100 (Australia/ACT)
In some mail from Matthew Murphy, sie said:
>
> Even though MS, by the time you factor in the large number of components
> they ship, has had many times fewer patch releases than competing Linux
> distributions?
>
> 1. OpenSSH v. Remote Desktop / Terminal Services
> OpenSSH: Two vulnerabilities in recent weeks
> RD/Terminal Services: Zero vulnerabilities this year
But according to openbsd's web page, the "two vulnerabilities"
are not remotely exploitable (at least on their platform) so
what exactly are you counting here?
> 2. Sendmail v. Exchange
> As buggy as many people claim Exchange is, it has had two patches this
> year -- if you include OWA. Even though it provides substantially larger
> amounts of functionality for some uses, it has still had fewer
> vulnerabilities than its main competitor, Sendmail.
sendmail dates back to a time when defensive programming wasn't
considered as important as it is today and as such is at a considerable
disadvantage in many ways to more modern mail software programs such as
Exchange or postfix or qmail when compared in this manner.
Darren
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html