I didn’t really think of this in context, but George Ou points out that Microsoft issued an “out of cycle” patch for their DRM software in response to the FairUse4WM software that stripped DRM protections from Windows Media Files. It took a mere 3 days from being made aware of the issue to releasing a patch. In context, we have seen numerous instances in the last year of “zero-day” vulnerabilities becoming known just after a monthly patch day, and Microsoft waiting until the next patch day to release a fix. So why the different response?
Some might give Microsoft the benefit of the doubt. Patching a full application is different than just patching DRM schemes, it requires a lot more testing to make sure things work right and don’t break. (I presume with this argument there’s no concern for media files “breaking” in any way with a change to the DRM scheme – of course – we could get into a tangent on “broken” in relation to media files, but we’ll save that for another time….)
I’m not giving them the benefit of the doubt. In fact, I think it’s fairly obvious. There are several very large companies that are paying pretty big for Microsoft’s DRM and are nervous at the thought of broken DRM. I wouldn’t be surprised if, on news of this DRM “workaround” or breakage, they didn’t hear from some VERY upset people with some of the big content distributors “urging” them to fix things as soon as possible. (OR ELSE.)
When it comes to security vulnerabilities in a Microsoft product there isn’t a single entity that can tell them…. “Look – you need to get this fixed now, or we’ll suspend our contract and go elsewhere.” This is ONE of the many reasons that I think we need to really invest time and attention in potential alternatives to Windows (as well as other Microsoft products.) Because the day that there’s a zero day in Microsoft office that prompts Fortune 500 companies to say, “you need to get this fixed or I’m migrating to xxxxoffice suite and not coming back.” we won’t see quite the responsiveness on security issues. One thing on this, moving away from the one time software purchase model may actually be a good thing for this to change because if you’re “subscribing” to the software (or maintenance) you have more leverage to be able to say “fix it or I’m out the door”.
It would be interesting to hear Microsoft’s explanation of how this patch was streamlined so quickly, while most security updates sit on the shelf longer. Oh, and by the way, DRM was slightly broken again within a couple days after the patch. (But not for songs with an expiration date. (subscription services))
Oh, by the way, it is that time again – updates coming Tuesday (September 12). Sans has details – 2 “important” updates for Windows (no critical this time…) and 1 critical for Microsoft Office (hopes are that this fixes the most recent zero-day vulnerability that’s been circulated.) There are other non-security related updates for a total of 9, but it seems relatively low-key. The bulletin from Microsoft can be found here. (Yes reboot will be required for at least one of the updates.)
Brian Krebs of the SecurityFix has the story as well, and notes that this is far fewer than what we’ve seen in recent months on patch Tuesday.
Related PostsRelated Posts
- Microsoft Support extensions for XP Good news for Windows XP users (especially XP Home). Microsoft has extended the support period for XP Home and Pro. Originally, security patch related support was expected to end December 31st of this year. According to the article for XP Home... So for the consumer versions of Windows XP, mainstream......
- 7 Updates coming from Microsoft in July We can expect 7 updates next week from Microsoft on the monthly patch day for July. Four of the updates will be for Windows, and 3 for Microsoft Office. There will be at least one critical update for each. It's expected that we'll see an update for the Excel issues......
- Microsoft Update day for September.... AND Flash... AND Apple Yesterday, of course, Microsoft released it's monthly patches. I found the Windows update site to be painfully slow (and in some cases unresponsive.) It wasn't quite a huge update day by recent standards, but here's the summary.... Incidents.org has a nice chart showing the two re-released patches (one is actually......
- Law Enforcement Badges and Memorabilia Different people have different interests when it comes to collecting memorabilia and other collectibles. For example, some people collect law enforcement badges and other law enforcement memorabilia. The reasons for such a collection may stem from having a history working with law enforcement or possibly having an ancestor that was......
- Updating Daylight Savings Time (Microsoft "Cancel or Allow") I just woke up and remembered that it was the new updated daylight savings time. Since I'm Lazy, I didn't install the patch on my computers for the daylight savings headache. I thought it would be a quick and easy download. I should have known better. I was given the......
- Encryption: Never Leave Home Without It As portable drives have gotten physically smaller and larger in storage capacity, they've become an indespensible gadget for many. If you use yours to store vital and sensitive information, you need to secure that information with encryption. I should not need to tell you about the long list of......
- Big Windows June update day
- Microsoft February Patch day advance notice
- Microsoft August Updates
- Two critical fixes from Microsoft on December patch Tuesday
- Microsoft updates for May