BindView Research Report: Vulnerabilities in Operating-System Patch Distribution

"In this research project, BindView Corporation has studied the processes by which 27 operating-system vendors distribute security patches. The report focuses on vulnerabilities in these processes, with the hope that customers can use the information to assess the adequacy of the processes used by their own vendors, in both an absolute and comparative sense. Customers may wish to work with their vendors to identify any changes in these processes that may be warranted. The vendors included in this report were selected because we think each one produces an operating system that is regularly used on a production basis in commercial environments, and because at least one of the following was true

• security patches for the operating system are widely announced to the public, e.g., via the bugtraq@securityfocus.com mailing list
• a security-patch process for the operating system is described on the vendor's web site in a location that we were able to find."

"There is also the problem that, currently, few if any operating-system vendors provide a PGP signature for every file in the distribution. For example, some Linux vendors provide a PGP signature for every package but do not provide a PGP signature for the downloadable boot-floppy image. Also, BSD Unix vendors typically provide some files that contain MD5 checksums of the operating-system distribution files, but the checksum file is not PGP signed...."

Complete Story