Patching the patchmen
Posted: December 19th, 2003 | 7 Comments »You’ve probably already seen the “open source” patch to Internet Explorer which fixes the recently-found URL spoofing vulnerability.
You may also have seen that this patch has a few nasty holes of its own and calls home occasionally (though only when it hits an exploit attempt, so I think that’s reasonable), thus prompting fears that Microsoft pay point at this as an example of poor open source code quality.
However – and this is the killer point – the patch has been patched by someone else, namely Paul Hsieh (code diffs here). Now, it may be illegal (the reason that I quoted the words “open source” in the link to the patch above is that the first patch has a few distinctly non-open clauses regarding its distribution) but if there’s a single winning argument you can make in this whole story for the open source security model, this is it.
This has fascinated me because I’m one of the people who, despite being an open source fan, thinks that Microsoft sometimes gets a raw deal about buggy code and patches (as I’ve commented here and here – quick summary: MS has to push its patches through a longer QA system for fear of 1% of installs breaking and clobbering a million machines). However, recently the sheer number of unpatched holes in MSIE has become ridiculous and it’s time to give up on it. Frankly, the only real patch is to move to Firebird.
“MS has to push its patches through a longer QA system for fear of 1% of installs breaking and clobbering a million machines”
It’s almost a shame that MS doesn’t use the bleeding edgers on the internet for QA. Imagine if the “Automatic Update” had an option along the lines of “I’m prepared to accept patches during a testing period and issue bug reports if problems arise”.
The analog in Debian GNU/Linux is setting your machine to “unstable/testing/stable”, where each is a trade-off between newness and stability(stability here meaning general use for a period without critical bug reports).
So when I run “unstable”, I’m contributing in some way to those that wait for the tested updates.
(As far as I know, MS might already have that, if so ignore me…)
assorted sweets #22
I’m just mad about organizing, just mad I tell you Open source patch for the open source patch for MS bugware The ultimate web traffic dashboard If it’s Tuesday, they must be sending Buying online, buying offline – turning it into a beneficial cycle W…
What — I only get the distinction of being called “someone else”? Sheesh … and here I was thinking writing OS code would make me famous …
Anyhow the bug I solved is a very common problem with string handling in the C and C++ languages in general. For more information on safe string handling in C/C++ in general please visit the following:
http://bstring.sf.net/
http://www.pobox.com/~qed/userInput.html
Ahem – my grovellingest apologies. Fixed.
“Frankly, the only real patch is to move to Firebird.”
I agree whole-heartedly with that.
This while thing is rather weird… I do not dare to apply any of these patches… using opera is the real solution for me and reveals PayPal-hoaxes as I received tenth alike only today!
regards,christoph
This whole thing is rather weird… I do not dare to apply any of these patches… using opera is the real solution for me and reveals PayPal-hoaxes as I received tenth alike only today!
regards,christoph