Microsoft’s priorities…



I didn’t really think of this in context, but George Ou points out that Microsoft issued an “out of cycle” patch for their DRM software in response to the FairUse4WM software that stripped DRM protections from Windows Media Files. It took a mere 3 days from being made aware of the issue to releasing a patch. In context, we have seen numerous instances in the last year of “zero-day” vulnerabilities becoming known just after a monthly patch day, and Microsoft waiting until the next patch day to release a fix. So why the different response?


Some might give Microsoft the benefit of the doubt. Patching a full application is different than just patching DRM schemes, it requires a lot more testing to make sure things work right and don’t break. (I presume with this argument there’s no concern for media files “breaking” in any way with a change to the DRM scheme – of course – we could get into a tangent on “broken” in relation to media files, but we’ll save that for another time….)

I’m not giving them the benefit of the doubt. In fact, I think it’s fairly obvious. There are several very large companies that are paying pretty big for Microsoft’s DRM and are nervous at the thought of broken DRM. I wouldn’t be surprised if, on news of this DRM “workaround” or breakage, they didn’t hear from some VERY upset people with some of the big content distributors “urging” them to fix things as soon as possible. (OR ELSE.)

When it comes to security vulnerabilities in a Microsoft product there isn’t a single entity that can tell them…. “Look – you need to get this fixed now, or we’ll suspend our contract and go elsewhere.” This is ONE of the many reasons that I think we need to really invest time and attention in potential alternatives to Windows (as well as other Microsoft products.) Because the day that there’s a zero day in Microsoft office that prompts Fortune 500 companies to say, “you need to get this fixed or I’m migrating to xxxxoffice suite and not coming back.” we won’t see quite the responsiveness on security issues. One thing on this, moving away from the one time software purchase model may actually be a good thing for this to change because if you’re “subscribing” to the software (or maintenance) you have more leverage to be able to say “fix it or I’m out the door”.

It would be interesting to hear Microsoft’s explanation of how this patch was streamlined so quickly, while most security updates sit on the shelf longer. Oh, and by the way, DRM was slightly broken again within a couple days after the patch. (But not for songs with an expiration date. (subscription services))

Oh, by the way, it is that time again – updates coming Tuesday (September 12). Sans has details – 2 “important” updates for Windows (no critical this time…) and 1 critical for Microsoft Office (hopes are that this fixes the most recent zero-day vulnerability that’s been circulated.) There are other non-security related updates for a total of 9, but it seems relatively low-key. The bulletin from Microsoft can be found here. (Yes reboot will be required for at least one of the updates.)

Brian Krebs of the SecurityFix has the story as well, and notes that this is far fewer than what we’ve seen in recent months on patch Tuesday.

Related Posts

Blog Traffic Exchange Related Posts
  • Microsoft warns against unofficial patch I didn't exactly expect a parade staged by Microsoft for the writer of the unofficial patch for this WMF vulnerability, but.... eweek tells us that Microsoft says "beware of unofficial WMF patch" It also mentions that behind the scenes Microsoft officials are furious that the threat has been overblown. Personally,......
  • Microsoft Update day for September.... AND Flash... AND Apple Yesterday, of course, Microsoft released it's monthly patches. I found the Windows update site to be painfully slow (and in some cases unresponsive.) It wasn't quite a huge update day by recent standards, but here's the summary.... Incidents.org has a nice chart showing the two re-released patches (one is actually......
  • Big Windows June update day Updates for Windows for the month of June are out today and it looks like some list! 12 updates covering 20 or more vulnerabilities. MANY of these are tagged as critical. (Critical vulnerabilities are considered remotely exploited or with little (or no) user interaction.) Sans has a good listing of......
Blog Traffic Exchange Related Websites
  • Updating Daylight Savings Time (Microsoft "Cancel or Allow") I just woke up and remembered that it was the new updated daylight savings time. Since I'm Lazy, I didn't install the patch on my computers for the daylight savings headache. I thought it would be a quick and easy download. I should have known better. I was given the......
  • New Domain to Google Page Rank 5 in One Month Google said Merry Christmas and Happy New Year to Blog Traffic Exchange with the final toolbar pagerank update of 2008 according to Matt Cutts. This was the first page rank update since launching the domain in late November with this blog. So in one month how much page rank can......
  • Outlook Secure Temporary File Folder Symptom - can't open attachments to emails. This is one of the things about Micrsoft that will eventually push me over the edge. A few months back, my CFO called me in to his office saying he couldn't open attachments from an email in Excel.  I poked around a bit,......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site