According to Internet services company Netcraft's latest poll, open source Web sites dominate the Web site market. The November 2005 survey found that Apache Web servers run on 70 percent of all Web sites. In addition, almost every reputable site that asks you for any personal information will do so using the Secure Sockets Layer (SSL) protocol.
The overwhelming number of open source Web sites and the widespread use of OpenSSL to secure connections create a tremendous problem when vulnerabilities emerge. For example, in October 2005, the OpenSSL.org Project released a patch to fix a vulnerability in all previously released versions of OpenSSL (i.e., all versions up to 0.9.7h and 0.9.8a). For more details about this vulnerability, see the Secunia advisory.
The vulnerability involves a problem with the use of the SSL_OP_MSIE_SSLV2_RSA_PADDING configuration option. Using the SSL_OP_ALL option automatically enables this other option by default.
The SSL_OP_MSIE_SSLV2_RSA_PADDING option is a common configuration workaround that disables a verification step in the SSL 2.0 server, which supposedly prevents active protocol-version rollback attacks. That means an attacker acting as a "man in the middle" can't force a client and server to negotiate the SSL 2.0 protocol, even if these parties both support SSL 3.0 or TLS 1.0. This is intentional due to previously discovered cryptographic weaknesses in SSL 2.0.
This workaround's original purpose was to address interoperability issues between Web servers and the secure applications they serve. This is a classic case of two open source vendors trying to support every conceivable function that a Webmaster might enable on a Web site.
However, in this case, the lack of any application standards has led to a vulnerability that affects roughly three-quarters of all Web sites and comes preinstalled on Red Hat Linux. The OpenSSL Project has published a new version to address this issue and recommends immediate deployment. A patch is also available for those sites that can't upgrade due to interoperability problems with served applications.
While the issue of a newly discovered vulnerability that affects a large percentage of the computers running on the Internet has become quite common, the problem goes much deeper. One of the most persistent problems with software is patch management — and the larger the enterprise, the larger the problem.
Microsoft has taken steps to address this issue with Automatic Updates service. In my opinion, the software company has done a good job of notifying users of available patches and updates.
On the other hand, the open source community continues to struggle with developing an integrated patch management solution. Most administrators have little time to check for patches or read vulnerability notices — if they've even signed up to receive them. That's why it's essential to know exactly what you've deployed on your systems and to check regularly for updates for that software.
Final thoughts
Before you start posting angry comments in this article's discussion, let me stress that I am not advocating dumping open source in favour of Microsoft. Rather, I am campaigning for the open source market to address the problem of patch management and to integrate third-party software into its solution.
If you run a system that connects to the Internet, it's imperative that you know what software is on that system — and keep it up to date. If you don't patch the holes in your system, it's only a matter of time before someone else exploits them.
Talkback
Complete bull. I do run Open Source technology and I'm subscribed to vulnerabilty problems in that area. Problems so far: zill. Problems in the Microsoft area: more then I wish. Reasons: some patches do work, some don't. Enough said.
States the bleeding obvious. An admin should always know what's running on their servers regardless of whether is Windows, Linux, BSD, etc.
What it doesn't state is that all major Linux distributions have automated patching that is the equal to, if not superior to, Microsoft's update methodology. Instead the implication is that FOSS offerings are somehow a big risk because they are unpatched.
An unpatched and insecure server OS in either the Windows or Linux case results solely from poor administration.
All Linux distros I know that use openssl have an automatic update feature. What exactly are you under the impression is missing?
This is a non-issue for package managed distributions. For example, Debian-based distributions have shiped standard with system-wide update mechanisms (through APT) since at least 1997. Debian maintains a specific repository for security-only updates. A complete security update to your system requires a single line command:
apt-get update; apt-get upgrade
This includes every managed application on your machine. Better, it can do the update while the machine is under load. It resolves any necessary dependencies and sets up new library links without any input necessary from the administrator. Restart your server (no reboot necessary) and you will be using the latest code.
If you dont have this ability in your distro, find another distribution.
This is a non-issue for package managed distributions. For example, Debian-based distributions have shiped standard with system-wide update mechanisms (through APT) since at least 1997. Debian maintains a specific repository for security-only updates. A complete security update to your system requires a single line command:
apt-get update; apt-get upgrade
This includes every managed application on your machine. Better, it can do the update while the machine is under load. It resolves any necessary dependencies and sets up new library links without any input necessary from the administrator. Restart your server (no reboot necessary) and you will be using the latest code.
If you dont have this ability in your distro, find another distribution.
Does anybody with a production server use MS automatic updates? Not that I know of.
All of the mainline Linux server distros (RH, Suse, Debian et al) handle patches and updates quite well. The BSDs are rock-solid as well.
<i>On the other hand, the open source community continues to struggle with developing an integrated patch management solution</i>
If you had not been living under a rock for 2 decades, you would have known that patch management is not a problem, especially for the "open source community".
<i>Most administrators have little time to check for patches or read vulnerability notices — if they've even signed up to receive them. That's why it's essential to know exactly what you've deployed on your systems and to check regularly for updates for that software</i>
What are you trying to do now ? Trying to teach sys admin their jobs ?
I bet that any sys admin managing web sites know that better than you. They even know that patch management for Open Source have never been a problem, which you don't.
Your statement that MS does a good job shows clearly where you come from.
<i>Rather, I am campaigning for the open source market to address the problem of patch management and to integrate third-party software into its solution</i>
You are campaining A decade too late. This has already been done.
Writers should at least know what they are talking about before "campaigning".
FYI, every Linux distribution package manager is dealing with patch management too, and they are pretty well integrated solutions, which can update 100s of servers in a go if you want, automatically or with notification.
Before talking about FOSS, you should get a clue.
I have to disagree with this article. I think the patch management in Linux is better than Windows. I have Ubunu installed at home and every few days a red exclamation mark appears in the systray, this notifies me to upgrade every single package on the system when there is a new release, not just operating systems specific ones, windows doesn not do this. I used to have Mandrake aka Mandriva and Red Hat and they did exactly the same, so I don't know what version of Linux the author was using.
yum -y update....done. Create a cron job and do it automatically. You're right, that's not a good patch management system. Now before anyone mentions the testing of packages to insure nothing breaks, this isn't Windows. I have been running Linux for 7 yrs and have never had an update break anything...period. And thats with a full 6gb (everything on the Fedora DVD) install.
To say that Linux doesn't have a patch management system is a little too all encompassing.
For instance Gentoo GNU/Linux uses portage, which will automatically "patch" software for you, and I'm sure users of YUM and APT might have something to say about patching.
Although you can't exactly review patchs and decide whether you want them or not if a patch is included in an update i.e. if the makers of your distribution think the patch is important enough then you will get it when you run your update tool.
So I think much of your patching/updating argument is null and void, ok yes it would be nice if you could choose what patches you want and why they are there but is that really that important? A mayor vulnerability like the one discussed in your article would certainly be included in updates.
In summary to say that GNU/Linux doesn't have update management is just wrong, in my eyes automatic downloading and installation of updates constitutes "management" maybe just not as much management as you get with Windows Update, but hey I will take prompt vulnerability fixing over a nice GUI which "babies" you through the whole process any day!
Do facilities like Debian's Apt-Get and Redhat's commercial equivalent count as patch systems? On Debian I can configure my system to automatically pull down patches on a regular interval. So I can see what's going on I choose to confirm the install, though it can be automated.
Pointing Apt at only the security updates repository gives a facility at least as good as Microsoft's, and a facility that covers every package on the system.
I'd expect the commercial solutions from Red Had or SUSE would provide the same kind of functionality.
STUPID article.
Here's how I do patch management:
apt-get update; apt-get upgrade
Wow. That was tough.
The comment about opensource pathch mamange ment is nonsense.
There allready exists automatic updates and patch management, and they work fine. It is event better because Microsoft only patches microsoft products an not
This is what Yum and Apt are for on RPM and DEB-based systems respectively. Third-party vendors can participate in this system by making Yum or Apt repositories available with their updates. Various tools exist that will notify you when updates are available: Fedora has a script called check4updates, a desktop applet called rhn-applet, and a mailing list. You can even configure Fedora to do full daily updates automatically (see http://fedora.redhat.com/docs/yum/sn-updating-your-system.html). I'm sure other distros have similar mechanisms.
The article seems rather silly, since it appears to be presenting a feature in which Windows has been playing catch up as one where they are ahead and have an advantage. Apt-get has most certainly been around longer than Windows Update, and there are plenty of other options used in various Linux distributions at present such as yum, urpmi, yast, etc. Trying to pretend that everyone uses Linux From Scratch seems rather pointless.
Then of course there is also the problem that production website administrators can usually not take advantage of automated updates, but must first run every update on some sort of a test server to see if it causes problems before putting it into production. This is the case regardless of the underlying operating system. This fact is nearly beside the point as far as the accuracy of the article goes, but it is still relevant considering its context.
Ignorant rubbish! Why didn't you research before writing your article? I loathe this sort of shoddy "journalism." No wonder bloggers are so numerous and so popular- we sure can't count on the "professionals."
The facts are these: patch management in Linux can be either completely automated, manual, or a combination. The different distributions have their own methods of delivering patches, and there are methods that are common to all distributions, such as manual patching from sources.
Unlike Windows Update, Linux does not require a reboot after applying patches. Unlike Windows, Linux patches are not multi-megabyte monsters than introduce new problems.
Please, just once, try doing your homework before publishing.
I run SuSE Linux 9.3... on my desktop. The very things you claim open source needs, and that you suggest Microsoft provides... namely, updates to third party software through automatic updates... is precisely what SuSE provides through the SuSE Watcher application.
As a desktop end user who does not want to constantly deal with security patching, I rely on SuSE Watcher to automatically keep my operating system and third party applictions up to date. I have it configured to automatically check for and update my system if necessary nightly.
When my Windows XP installation installs updates it ALWAYS forces a reboot to make the updates take effect and relentlessly pesters me until I do reboot, interupting my work. Thank you Microsoft, very much!
No one is going to flame you for being anti-open source, per se. What they will flame you for is your blatent inaccurate reporting.
Regarding patch management, I think you're somewhat misinformed in that the vendor of the server distribution should be responsible for automating updates and most do a good job of it. They provide the patch built in whatever packaging system your OS uses, usually in a short timeframe after it is available from the vendor (in this case the OpenSSL project). I just don't see the issue for production-level systems.
Where patch-management falls apart is for the individual user/hobbyist who doesn't properly use the patch tools available whether or not those are Microsoft or Linux or other UNIXes.
SpikeSource's products and services address this very problem. http://www.spikesource.com/
As with anything open-source and free software, it is always wrong to think in terms of one solution.
Linux is not *an* operating system, it is a a whole group of operating systems.
And so, there is no one (centrel, big, ...) patch management but many different, robust, efficient and well established, patch mangement systems.
Debian (And co.) users are well served by the famous apt-get system which will happily upgrade or patch any component of your system be it Apace or your webbrowser.
RedHad users are similarily served by RHN.
Fedora users have a choice between apt-rpm and yum.
There will never be one big solutions to anything in the open source world, this is how Monopolies work, not the open-source community.
What a pointless article. Any of the mainstream Distros (Fedora, RHEL/Centos, Debian/Ubuntu, Novell Linux) provide more than adequate patch (or Package) management.
Here is an idea for a useful article.
"Windows renders application management a problem"
How many times do you have to give normal users (especially mobile ones) either Power User or Admin rights just to do little things and even when they don't have the privileges the computers still get infected with Adware & spyware.
All UNIX & GNU/Linux sustems provide better permisson control in the form of sudo and other tools to only give the users rights to do what they want.
Patch management is irrelevent when the user can do stuff without the admin knowing.