Skip to content

Microsoft Secure


I was giving a talk last week covering some of the x86 vulnerability analysis that I do and I got a surprising (to me) comment:

You are showing Red Hat 3 numbers – why are you intentionally comparing Windows to such an old version ?

This sort of surprised (and puzzled me), but in some sense I do understand the comment.  It reflects the different mentality that is sometimes attached to the Linux and Open Source development model (emphasis on fast) – in some ways comparable to those companies that always upgrade to the latest, bleeding edge versions of software – the thinking defaults to the latest innovation and not to thinking about long term Enterprise deployments. [NOTE:  I’m not saying Red Hat thinks this way, just reflecting what a wide range of differences there are when you talk about “Linux”]

Microsoft has Windows customers still running Windows NT in production under custom support.  Many customers are running Windows 2000 as a main platform.  Windows XP and Windows Server 2003 may be the current sweet spot, but my point is that in the Enterprise, customers only upgrade every few years (at best).

Let’s look at a timeline of Windows and Red Hat Enterprise Linux releases:

  • 2000 February:  Windows 2000
  • 2001 October:   Windows XP
  • 2002 May:          RHEL 2.1
  • 2003 April:         Windows Server 2003
  • 2003 October:    RHEL 3
  • 2005 February:   RHEL 4

Of course, I don’t know anything about percentages of Red Hat deployments with respect to versions (or anything else for that matter), but there are some practical considerations based upon RH support policy

[NOTE:  In my opinion, Red Hat currently has the best Enterprise support policy of any Linux distribution with 7 years.  Also note, however, that they only support their application stack products for 3 years, rather than 7.]

Full support for RHEL3 ended in April – they stopped updating ISO images at that time.  Deployment support ends this month and the product enters a Maintenance period until until 2010, where they commit to security fixes but not other types of updates.  In suport terms, this puts RHEL3 in the same bucket as Windows 2000, which is also in a maintenance support period until 2010.

So, though RHEL3 released 6 months after WS2003, it is entering a phase where customers are discouraged from making any new deployment on it and instead are encouraged to use RHEL4 (and RHEL5 is now in Beta). 

Mostly, this is all just FYI, I’m not drawing any conclusions about whether this is good, bad or indifferent. 

Practically, for my security analysis, it means I’m going to stop analyzing RHEL3 and just focus on RHEL4 and subsequent releases, and this is just a long-winded explanation of why RHEL3 is going to drop off of my analysis.

And, to circle back to my starting point, I find it very interesting that RHEL3 is considered an “older release” and some consider it “unfair” that I might make comparisons between it and WS2003…