I didn’t really think of this in context, but George Ou points out that Microsoft issued an “out of cycle” patch for their DRM software in response to the FairUse4WM software that stripped DRM protections from Windows Media Files. It took a mere 3 days from being made aware of the issue to releasing a patch. In context, we have seen numerous instances in the last year of “zero-day” vulnerabilities becoming known just after a monthly patch day, and Microsoft waiting until the next patch day to release a fix. So why the different response?
Some might give Microsoft the benefit of the doubt. Patching a full application is different than just patching DRM schemes, it requires a lot more testing to make sure things work right and don’t break. (I presume with this argument there’s no concern for media files “breaking” in any way with a change to the DRM scheme – of course – we could get into a tangent on “broken” in relation to media files, but we’ll save that for another time….)
I’m not giving them the benefit of the doubt. In fact, I think it’s fairly obvious. There are several very large companies that are paying pretty big for Microsoft’s DRM and are nervous at the thought of broken DRM. I wouldn’t be surprised if, on news of this DRM “workaround” or breakage, they didn’t hear from some VERY upset people with some of the big content distributors “urging” them to fix things as soon as possible. (OR ELSE.)
When it comes to security vulnerabilities in a Microsoft product there isn’t a single entity that can tell them…. “Look – you need to get this fixed now, or we’ll suspend our contract and go elsewhere.” This is ONE of the many reasons that I think we need to really invest time and attention in potential alternatives to Windows (as well as other Microsoft products.) Because the day that there’s a zero day in Microsoft office that prompts Fortune 500 companies to say, “you need to get this fixed or I’m migrating to xxxxoffice suite and not coming back.” we won’t see quite the responsiveness on security issues. One thing on this, moving away from the one time software purchase model may actually be a good thing for this to change because if you’re “subscribing” to the software (or maintenance) you have more leverage to be able to say “fix it or I’m out the door”.
It would be interesting to hear Microsoft’s explanation of how this patch was streamlined so quickly, while most security updates sit on the shelf longer. Oh, and by the way, DRM was slightly broken again within a couple days after the patch. (But not for songs with an expiration date. (subscription services))
Oh, by the way, it is that time again – updates coming Tuesday (September 12). Sans has details – 2 “important” updates for Windows (no critical this time…) and 1 critical for Microsoft Office (hopes are that this fixes the most recent zero-day vulnerability that’s been circulated.) There are other non-security related updates for a total of 9, but it seems relatively low-key. The bulletin from Microsoft can be found here. (Yes reboot will be required for at least one of the updates.)
Brian Krebs of the SecurityFix has the story as well, and notes that this is far fewer than what we’ve seen in recent months on patch Tuesday.
Related PostsRelated Posts
- Microsoft Support extensions for XP Good news for Windows XP users (especially XP Home). Microsoft has extended the support period for XP Home and Pro. Originally, security patch related support was expected to end December 31st of this year. According to the article for XP Home... So for the consumer versions of Windows XP, mainstream......
- Big Windows June update day Updates for Windows for the month of June are out today and it looks like some list! 12 updates covering 20 or more vulnerabilities. MANY of these are tagged as critical. (Critical vulnerabilities are considered remotely exploited or with little (or no) user interaction.) Sans has a good listing of......
- Makers of fake security software settle lawsuit The security fix has some news today on some bogus security software makers (the wolves in sheeps clothing as I tend to think of them...) Anyway, they're settling deceptive trade practice chargers that were brought by the FTC. SpywareAssassin and Spykiller were facing a civil suit over their ads which......
- Encryption: Never Leave Home Without It As portable drives have gotten physically smaller and larger in storage capacity, they've become an indespensible gadget for many. If you use yours to store vital and sensitive information, you need to secure that information with encryption. I should not need to tell you about the long list of......
- Updating Daylight Savings Time (Microsoft "Cancel or Allow") I just woke up and remembered that it was the new updated daylight savings time. Since I'm Lazy, I didn't install the patch on my computers for the daylight savings headache. I thought it would be a quick and easy download. I should have known better. I was given the......
- Outlook Secure Temporary File Folder Symptom - can't open attachments to emails. This is one of the things about Micrsoft that will eventually push me over the edge. A few months back, my CFO called me in to his office saying he couldn't open attachments from an email in Excel. I poked around a bit,......
- Big Windows June update day
- Microsoft February Patch day advance notice
- Microsoft August Updates
- Two critical fixes from Microsoft on December patch Tuesday
- Microsoft updates for May