[Info-vax] A possible platform for VMS?

Kerry Main kerry.main at backtothefutureit.com
Sun Mar 1 13:17:37 EST 2015 

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at info-vax.com] On Behalf Of
> terry+googleblog at tmk.com
> Sent: 01-Mar-15 6:15 AM
> To: info-vax at info-vax.com
> Subject: Re: [New Info-vax] A possible platform for VMS?
> 
> On Saturday, February 28, 2015 at 5:53:24 PM UTC-5,
> johnwa... at yahoo.co.uk wrote:
> > IE might historically have had more holes than a Swiss cheese, but
> > even if you eliminate all the IE-specific holes there are plenty left.
> > I specifically picked the two I mentioned above, from the larger
> > selection in that month's list, because those two didn't require IE
> > as part of the exploit.
> 
> Regarding the IE issue, a good chunk of the problem is due to the
> historical decision to make IE "part of Windows" (IE code in the OS
> proper, and OS code in IE). 3rd-party browsers manage to provide
> (generally) more nimble and more secure implementations in a smaller
> footprint. Perhaps Microsoft's "new browser" (the code they're working
> on that will NOT be called IE and jettisons IE compatibility) will have
> learned from this mistake.
> 
> As someone who advises a number of customers on patching / security
> on a number of platforms, what is of much more concern in the
> Microsoft Model is the number of dud patches in the last year or so. I
> think the record was "the patch to fix the patch to fix the patch that
> patched the bug".*
> 
> Also of concern are "critical" or "important" patches that are un-
> necessary. The one that really drives this point home is this month's
> KB3006137, which caused a reboot when a user logged out. Why?
> "Update changes the currency symbol of Lithuania from the Lithuanian
> litas (Lt) to the euro (EURO) in Windows". That is just idiotic to release as
> an out-of band force-reboot patch, and I told Microsoft that (not that
> they listen to me any more).
> 
> On the other hand, in modern Windows a good number of the patches
> can be applied without needing a reboot. Video drivers are an excellent
> example of wholesale driver replacement without needing a reboot.
> Quite a far cry from the old "Your mouse pointer has moved. Windows
> must restart to recognize these changes" model.
> 
> Patch-in-place is becoming more popular. Recent Linux kernels now
> support live patching, for example. Perhaps this is something VSI can
> investigate as part of the port to a new architecture.
> 
> *
> http://www.theregister.co.uk/2015/02/15/microsofts_patchwork_falls_
> apart_again


This is a good example of what can happen when shops adopt 
"patch-n-pray" and do not retest important things before rolling out
to prod environments.

The concept of patch-in-place is a good one so long as it is recognized 
that testing still needs to be done before implementation in prod
environments.


Regards,

Kerry Main
Back to the Future IT Inc.
 .. Learning from the past to plan the future

Kerry dot main at backtothefutureit dot com

More information about the Info-vax mailing list