I didn’t really think of this in context, but George Ou points out that Microsoft issued an “out of cycle” patch for their DRM software in response to the FairUse4WM software that stripped DRM protections from Windows Media Files. It took a mere 3 days from being made aware of the issue to releasing a patch. In context, we have seen numerous instances in the last year of “zero-day” vulnerabilities becoming known just after a monthly patch day, and Microsoft waiting until the next patch day to release a fix. So why the different response?
Some might give Microsoft the benefit of the doubt. Patching a full application is different than just patching DRM schemes, it requires a lot more testing to make sure things work right and don’t break. (I presume with this argument there’s no concern for media files “breaking” in any way with a change to the DRM scheme – of course – we could get into a tangent on “broken” in relation to media files, but we’ll save that for another time….)
I’m not giving them the benefit of the doubt. In fact, I think it’s fairly obvious. There are several very large companies that are paying pretty big for Microsoft’s DRM and are nervous at the thought of broken DRM. I wouldn’t be surprised if, on news of this DRM “workaround” or breakage, they didn’t hear from some VERY upset people with some of the big content distributors “urging” them to fix things as soon as possible. (OR ELSE.)
When it comes to security vulnerabilities in a Microsoft product there isn’t a single entity that can tell them…. “Look – you need to get this fixed now, or we’ll suspend our contract and go elsewhere.” This is ONE of the many reasons that I think we need to really invest time and attention in potential alternatives to Windows (as well as other Microsoft products.) Because the day that there’s a zero day in Microsoft office that prompts Fortune 500 companies to say, “you need to get this fixed or I’m migrating to xxxxoffice suite and not coming back.” we won’t see quite the responsiveness on security issues. One thing on this, moving away from the one time software purchase model may actually be a good thing for this to change because if you’re “subscribing” to the software (or maintenance) you have more leverage to be able to say “fix it or I’m out the door”.
It would be interesting to hear Microsoft’s explanation of how this patch was streamlined so quickly, while most security updates sit on the shelf longer. Oh, and by the way, DRM was slightly broken again within a couple days after the patch. (But not for songs with an expiration date. (subscription services))
Oh, by the way, it is that time again – updates coming Tuesday (September 12). Sans has details – 2 “important” updates for Windows (no critical this time…) and 1 critical for Microsoft Office (hopes are that this fixes the most recent zero-day vulnerability that’s been circulated.) There are other non-security related updates for a total of 9, but it seems relatively low-key. The bulletin from Microsoft can be found here. (Yes reboot will be required for at least one of the updates.)
Brian Krebs of the SecurityFix has the story as well, and notes that this is far fewer than what we’ve seen in recent months on patch Tuesday.
Related PostsRelated Posts
- Makers of fake security software settle lawsuit The security fix has some news today on some bogus security software makers (the wolves in sheeps clothing as I tend to think of them...) Anyway, they're settling deceptive trade practice chargers that were brought by the FTC. SpywareAssassin and Spykiller were facing a civil suit over their ads which......
- Microsoft Update day for September.... AND Flash... AND Apple Yesterday, of course, Microsoft released it's monthly patches. I found the Windows update site to be painfully slow (and in some cases unresponsive.) It wasn't quite a huge update day by recent standards, but here's the summary.... Incidents.org has a nice chart showing the two re-released patches (one is actually......
- Microsoft October 2006 patch Tuesday The first thing I should mention is that this months update from Microsoft is the last for XP SP1 users should plan a migration path to SP2 to keep getting updates to XP. Multiple vulnerabilities this month have been patched in Office There are 4 advisories, but a total of......
- Encryption: Never Leave Home Without It As portable drives have gotten physically smaller and larger in storage capacity, they've become an indespensible gadget for many. If you use yours to store vital and sensitive information, you need to secure that information with encryption. I should not need to tell you about the long list of......
- Outlook Secure Temporary File Folder Symptom - can't open attachments to emails. This is one of the things about Micrsoft that will eventually push me over the edge. A few months back, my CFO called me in to his office saying he couldn't open attachments from an email in Excel. I poked around a bit,......
- 6 Ways Windows Has Improved Computing This is a guest post! If you want to write for us, check out the Guest Post section. Microsoft Windows is a product that everyone seems to take pleasure in hating. Comments like ‘It’s trying to do too much!’ or ‘It takes too long to load…’ are commonly heard when......
- Big Windows June update day
- Microsoft February Patch day advance notice
- Microsoft August Updates
- Two critical fixes from Microsoft on December patch Tuesday
- Microsoft updates for May