Microsoft Thinks Removing Features is 44 Times More Urgent Than Fixing Critical Security Holes
In early 2006, the Washington Post’s Brian Krebs blogged about his attempt to determine how long Microsoft takes to fix security problems in the Windows operating system. According to research done by Kreb’s team, Microsoft takes an average of 134 days to issue critcal fixes (through 2005):
Here’s what we found: Over the past three years, Microsoft has actually taken longer to issue critical fixes when researchers waited to disclose their research until after the company issued a patch. In 2003, Microsoft took an average of three months to issue patches for problems reported to them. In 2004, that time frame shot up to 134.5 days, a number that remained virtually unchanged in 2005.
A Time to Patch – Security Fix
Microsoft has faced much public critism for slow fixes and has been working hard to address the issue. According to Microsoft. the real delay is not finding a solution to the problem, but fully testing to patch:
Toulouse said developing a patch to mend a security hole is usually the easiest part. Things get more problematic, he said, during the testing process. If testers find a bug, the patch developers incorporate the fix into all relevant portions of the patch and the testing process is reset, forcing the testers to start from scratch.
A Time to Patch – Security Fix
Last week, Microsoft found itself facing a different sort of software bug when a software developer figured out a way around Microsoft’s PlaysForSure DRM software. The developer released FairUse4WM, which allows users who bought music from online music stores to play the music on any system they want, such as a Mac or iPod.
Microsoft managed to release a patch to plug this hole in 3 days. That doesn’t make any sense. Either Microsoft thought re-enabling it’s draconian DRM was worth releasing a patch that was not well tested or they put enough manpower on this patch to do what normally takes 146 days in only 3 days. Priorities, indeed.
And what has all this effort gained them? According to an excellent article by Bruce Schneier at Wired News, PlaysForSure was again cracked within days:
That was Saturday. Any guess on how long it will take Microsoft to patch Media Player once again? And then how long before the FairUse4WM people update their own software?
Certainly much less time than it will take Microsoft and the recording industry to realize they’re playing a losing game, and that trying to make digital files uncopyable is like trying to make water not wet.
If Microsoft abandoned this Sisyphean effort and put the same development effort into building a fast and reliable patching system, the entire internet would benefit. But simple economics says it probably never will.
Wired News: Quickest Patch Ever
technorati tags:drm, playsforsure, critical, patch, FairUse4WM
1 comment1 Comment so far
Leave a reply
[...] I’ve just come across a very interesting new blog, uninnovate.com, which focuses on the phenomenon of “engineering expensive features into a product for which there is no market demand in order to make the product do less.” The first few posts tackle ‘Three legends of uninnovation‘ (the iPod’s copy restrictions, Sony’s mp3-less Walkman, and Verizon’s rent-seeking on Bluetooth features), Microsoft’s priorities (patching DRM flaws vs. security flaws that actually damage users), Amazon’s absurd new Unbox ’service’ and ‘Trusted’ computing for mobile phones. The perspective is refreshingly clear: no customer woke up wanting these ‘features’, yet companies direct vast efforts towards developing them. [...]