Microsoft and FairUse4WM

If you really want to see Microsoft scramble to patch a hole in its software, don’t look to vulnerabilities that impact countless Internet Explorer users or give intruders control of thousands of Windows machines. Just crack Redmond’s DRM.

Security patches used to be rare. Software vendors were happy to pretend that vulnerabilities in their products were illusory—and then quietly fix the problem in the next software release.

That changed with the full disclosure movement. Independent security researchers started going public with the holes they found, making vulnerabilities impossible for vendors to ignore. Then worms became more common; patching—and patching quickly—became the norm.

But even now, no software vendor likes to issue patches. Every patch is a public admission that the company made a mistake. Moreover, the process diverts engineering resources from new development. Patches annoy users by making them update their software, and piss them off even more if the update doesn’t work properly.

For the vendor, there’s an economic balancing act: how much more will your users be annoyed by unpatched software than they will be by the patch, and is that reduction in annoyance worth the cost of patching?

Since 2003, Microsoft’s strategy to balance these costs and benefits has been to batch patches: instead of issuing them one at a time, it’s been issuing them all together on the second Tuesday of each month. This decreases Microsoft’s development costs and increases the reliability of its patches.

The user pays for this strategy by remaining open to known vulnerabilities for up to a month. On the other hand, users benefit from a predictable schedule: Microsoft can test all the patches that are going out at the same time, which means that patches are more reliable and users are able to install them faster with more confidence.

In the absence of regulation, software liability, or some other mechanism to make unpatched software costly for the vendor, “Patch Tuesday” is the best users are likely to get.

Why? Because it makes near-term financial sense to Microsoft. The company is not a public charity, and if the internet suffers, or if computers are compromised en masse, the economic impact on Microsoft is still minimal.

Microsoft is in the business of making money, and keeping users secure by patching its software is only incidental to that goal.

There’s no better example of this of this principle in action than Microsoft’s behavior around the vulnerability in its digital rights management software PlaysForSure.

Last week, a hacker developed an application called FairUse4WM that strips the copy protection from Windows Media DRM 10 and 11 files.

Now, this isn’t a “vulnerability” in the normal sense of the word: digital rights management is not a feature that users want. Being able to remove copy protection is a good thing for some users, and completely irrelevant for everyone else. No user is ever going to say: “Oh no. I can now play the music I bought for my computer in my car. I must install a patch so I can’t do that anymore.”

But to Microsoft, this vulnerability is a big deal. It affects the company’s relationship with major record labels. It affects the company’s product offerings. It affects the company’s bottom line. Fixing this “vulnerability” is in the company’s best interest; never mind the customer.

So Microsoft wasted no time; it issued a patch three days after learning about the hack. There’s no month-long wait for copyright holders who rely on Microsoft’s DRM.

This clearly demonstrates that economics is a much more powerful motivator than security.

It should surprise no one that the system didn’t stay patched for long. FairUse4WM 1.2 gets around Microsoft’s patch, and also circumvents the copy protection in Windows Media DRM 9 and 11beta2 files.

That was Saturday. Any guess on how long it will take Microsoft to patch Media Player once again? And then how long before the FairUse4WM people update their own software?

Certainly much less time than it will take Microsoft and the recording industry to realize they’re playing a losing game, and that trying to make digital files uncopyable is like trying to make water not wet.

If Microsoft abandoned this Sisyphean effort and put the same development effort into building a fast and reliable patching system, the entire internet would benefit. But simple economics says it probably never will.

This essay originally appeared on Wired.com.

EDITED TO ADD (9/8): Commentary.

EDITED TO ADD (9/9): Microsoft released a patch for FairUse4WM 1.2 on Thursday, September 7th.

EDITED TO ADD (9/13): BSkyB halts download service because of the breaks.

EDITED TO ADD (9/16): Microsoft is threatening legal action against people hosting copies of FairUse4WM.

Tags: copyright, cracking, cryptography, DRM, economics of security, incentives, Microsoft, operating systems, patching, Windows

Posted on September 7, 2006 at 8:33 AM • 51 Comments

Comments

mcr42 • September 7, 2006 8:53 AM

I wonder how long it takes before a worm includes a filesharing client, sharing the files of a infected computer.
Now that would force them to fix the really important holes.

Anonymous • September 7, 2006 8:54 AM

You just explained why users benefit most from, and are most happy with, software written by users.

slup • September 7, 2006 9:08 AM

You should follow closely the case between iTunes Music Store and the norwegian consumer ombudsman in which the last states that no software vendor may wave its resposibility towards damage done by its products even if these products are software:
http://www.forbrukerombudet.no/index.gan?id=11032467&subid=0

T Man • September 7, 2006 10:31 AM

I agree that MS will udpate the DRM software quickly, but I disagree with your analysis concerning the patching process. Being involved in the patching process for a long time at my company, this new method is many times superior to the old method of release then whenever they are ready. In the enterprise market, you need to have time to test these patches, and need to devise a plan to deploy them. In the old method, where patches were released whenever, it caused many headaches for the IT industry. The new way makes things predictable and workable.

Some history is required here. As the amount of patches required increased, mainly as the Internet became more popular and as a side “benefit”, exploitation of those vulnerabilities becase more prevalent, MS would release patches whenever they saw fit. During that time, many in the IT industry started to think up a new strategy, since there had to be a better way. The testing procedure for patches was more than just a monthly project. Rather, it was a project that required work throughout the month. MS proposed the patch Tuesday strategy, and it worked. While there was some disagreement at that time, I don’t think that any IT professional would want to go back to the old method.

Chris • September 7, 2006 10:33 AM

The DRM industry behaves in a way, that they would recommend to pee on a forest fire to extinguish it. It will never work. And recording industry is the only industry that I know which insults its paying customers as thiefs.

eindgebruiker • September 7, 2006 10:48 AM

For the vendor, there’s an economic balancing act: how much more will your users be
annoyed by unpatched software than they will be by the patch, and is that reduction
in annoyance worth the cost of patching?

Once you understand that the users of DRM are not the consumers but the record companies this quick reaction by Microsoft makes perfectly sense.

Tom Davis • September 7, 2006 12:03 PM

Legislation making software developers or distributors liable for security failures would not provide a financial impetus for improving software security. As stated above, a patch is in and of itself an admission of guilt. Consequently, there would be an impetus to withhold patches unless it was obvious that the company would lose more money by not admiting culpability than if it did.

Additionally, as stated above, there is an “escalating arms race” between developers and hackers. The ability of software vendors to win by a system of patching, is as also stated above, unlikely.

The only way to provide a secure basis for computer security is to adopt the same policies observed by the OpenBSD development team, namely preemptive bug fixes and code scouring, a minimal facilities enabled by default policy, and attention to correct documentation at least as intense as attention to the actual code.

Which brings up the final issue. There exist numerous alternatives to Microsoft software, and for those people and organizations concerned about security, the incentives are already in place to move to other systems. The fact that many people do not is indicative of a disinterest by those people in the security of their computers. That same disinterest would undoubtably translate into a disinterest in prosecuting a legal case against Microsoft (or any other vendor) for a security failure. After all, buying a Mac is cheaper than hiring a lawyer, and downloading and installing OpenBSD is less time consuming than collecting the necessary documentation to proceed with a tort.

Joost Remijn • September 7, 2006 12:04 PM

@T Man at September 7, 2006 10:31 AM

I think patch tuesday should at least be optional. You can patch your systems once a month or when the patch comes out. If microsoft just released the patches as they were ready (and tested) those that want their systems more secure than stable (and have the manpower) can apply them and those that aren’t in a hurry (normal businesses) can wait and do it once or twice a month.

But at the moment there is no such choice if you use these microsoft products. I personally use linux (FC5) and update not too often (once a week max). Real security for me is a good backup system because i’m more afraid of losing data than anyone looking at it really.

AC • September 7, 2006 12:32 PM

The major trick that MSFT is playing with the patches it making them not too convenient. Just as an example: imagine that they publish ony one downloadable executable instead of eleven per month. You’d download that one, start it and have everyting updated.
I don’t believe we’ll see this.
“But what if somebody doesn’t want some patch installed?” — that’s a minority, and they should just be able to type the numbers of these patches in “don’t install” file.
The second convenient thing would be an updated “rollup” each month, for any freshly installed computer.

Loyal Citizen • September 7, 2006 12:47 PM

“remaining open to known vulnerabilities for up to a month”

A nit: this statement isn’t accurate, as many vulnerabilities given to Microsoft take longer than a month to make their way through the development process, and even with “responsible disclosure” the fact that a vulnerability is known, although the details are often withheld.

@nonymou5 • September 7, 2006 1:01 PM

@Joost Remijn

Real security for me is a good backup system because i’m more afraid of losing data than anyone looking at it really.

Great. That works FOR YOU!!
But honestly for those who have policies and laws that mandate that unauthorized exposure of data is punishable by fines and jail time (See HIPAA Security rule) your world view does not apply.

Clive Robinson • September 7, 2006 1:06 PM

Is it me or has everybody missed a point here.

A) Microsoft issue patches once a month

Which most people would consider reasonable, and it would probably hold as an argument in court (if it ever got there).

B) However Microsoft rush out a patch in three days for a non security issue.

They have thereby set a precedent by which they would stand or fall in court when it comes to best / reasonable effort (my guess is they would be on the downward slope , if as I said it ever got to court).

Over half of the “best effort” / “reasonable effort” argument is never ever ever be shown to have done something better, esspecialy if it can be shown (reasonably) that your trason for doing so was money (often a court does not consider cost to be a limit on your best effort)…

I smell the aroma of singed sock as the GSR makes it melt back from the fresh self inflicted wound that has appeard in the Microsoft corperate foot.

Chris • September 7, 2006 1:12 PM

I agree that there is an incentive for Microsoft to quickly patch this vulnerability — they’re worried about the image of their software as a secure platform for delivering premium (i.e. pay-per-play) content. It’s been their stated goal to make Windows-based PCs the hub for entertainment in people’s homes. Windows Media Center Edition and Windows Vista are merely stepping stones towards this goal.

When you look at the feature list for Windows Vista, almost all of them are in support of a trusted platform for DRM. Any benefit consumers see is purely a side-effect of their efforts to please the “content providers.” Soon, Microsoft’s big customers will not be the individuals buying copies of Windows and Office, but the movie and music folks hosting digital files on Microsoft platforms. Microsoft is simply protecting their DRM software from the perception it is not secure. This is doubly important given the marketing blitz about to kick off for the Windows Vista launch.

Comments about the convenience of patch rollups and regular release schedules facilitating planning forget that the target for this patch is not the corporate IT department. It’s individual users running Windows, who only know that Microsoft wants them to install a “critical” patch. Mom and Pop don’t run mission critical software, don’t do regression testing, and don’t deploy patches to hundreds or thousands of desktops. To them, every patch is a surprise.

Soon, I expect their computer will download and install such patches automatically and without asking for permission. Whether or not you trust your computer is unimportant because whether or not Hollywood Trusts(tm) your computer is worth billions of dollars.

salt bath • September 7, 2006 1:18 PM

I will never use another Micosoft product or service again. This is coming from someone who has used just about every version of Windows ever released and various versions of MS-DOS before Windows came along.

I will never be satisfied with an operating system that is closed source. Since discovering Linux I found the joy and freedom that I knew before I wasted my time with MS-DOS/Windows for several years. I don’t care how many hackers are paraded about for the public to see, I can’t and won’t believe source code which I cannot inspect with my own eyes. If I am not free to modify and change the source, and others aren’t, it’s too restrictive for my use.

Ed T. • September 7, 2006 1:43 PM

I’m surprised that MSFT hasn’t implemented the obvious “fix”: file criminal complaints against the makers of FairUse4WM under the DMCA.

~EdT.

derf • September 7, 2006 2:04 PM

If Microsoft abandoned this Sisyphean effort and put the same development effort into building a fast and reliable patching system, the entire internet would benefit. But simple economics says it probably never will.<<<

You have admitted the battle is already lost and that we must approach the holes Microsoft negligently left in our defenses after the fact with hat in hand and beg Microsoft to help us fix their problems.

I believe that the economic incentive to make the software work securely out-of-the-box needs to be put back into software development. Let Congress declare EULA’s invalid and let there be a class action suit against Microsoft for all of the time wasted trying to clean up the mess. Instead of yet another crappy Windows with all new vulnerabilities, I bet we would see a LOT more development hours being spent on cleaning up broken Windows code, potential vulnerabilities, and security issues in the version we’ve already bought, paid for, and slaved over trying to keep the thing secure just from the dateless 14 year olds.

Adam • September 7, 2006 2:24 PM

T Man : It’s not about whether Patch Tuesday is a good or bad thing compared to ad-hoc patching, it’s that whatever reasons MS may have for delaying security patches (if they choose to do so), they should apply just as well (if not more) to non-security patches.

If batching patches is a good thing, then the FairUse4WM “fix” should be batched along with the rest.

If ad-hoc patching puts users at some kind of risk (e.g. stability due to testing/integration issues) then exposing users to that risk to fix an issue that is /not/ a risk to users in the first place is pretty lame.

Fred • September 7, 2006 2:24 PM

@derf

“You have admitted the battle is already lost and that we must approach the holes Microsoft negligently left in our defenses after the fact with hat in hand and beg Microsoft to help us fix their problems.”

My opinion is that if you’re serious about securing a system, you won’t use a Microsoft OS in the first place.

Patrick Farrell • September 7, 2006 2:51 PM

Microsoft has made great gains with their patching system in the past few years. I don’t negate what Bruce is saying about DRM not being a priority patch, but WindowsUpdate is a pretty amazing program. Debian’s apt is the only system that does a better job at patch distribution (although I’ll admit I don’t have experience with BSD) but let’s face it, Debian is dealing with high-end computer professionals. Microsoft is dealing with Joe Luser who refuses to learn anything about how a computer works, how it should be operated, what an operating system is, or why it should be patched.

Anonymous • September 7, 2006 2:58 PM

I think it’s important to note that the users of DRM are not the users of the Plays4Sure device, but the owners of the copywrite.

Still MSFT doesn’t owe them anything more than they owe users of Windows or Office, but the DRM team is different form the “patch Tuesday” team, right?

Name • September 7, 2006 3:47 PM

@Fred:

“My opinion is that if you’re serious about securing a system, you won’t use a Microsoft OS in the first place.”

Amen! Real men use BSD and/or Linux

T Man • September 7, 2006 3:54 PM

@Adam: “If batching patches is a good thing, then the FairUse4WM “fix” should be batched along with the rest.”

But, DRM is considered more of a “consumer” issue rather than a corporate one. How many enterprises allow for music or video to be played on corporate machines? Is it vital to the company? No it is not (in most cases), so this issue really does not fall under the “Patch Tuesday” moniker. This is more of a consumer fix. Since I will not care about fixing DRM issues, I won’t even bother patching WMP, since it is simply not used in the corporate space. I will make sure that all true security issues are fixed and deployed, but if this was to come in to my WSUS server, I would just decline the update. Bruce talks about a fast and reliable patching system, and quite frankly, we do have that, at least in the corporate space.

However, the DRM fix issue is a little more complex. They have the big record companies to keep at bay. OK, there we can see the main issue. Pressure from the big labels on MS to make sure that DRM is not “broken”. So here is an example that it has nothing to do with the customers. It was the customers, ie, IT professionals, that were clamoring for some better patch management. The customers of DRM are the record labels.

Let’s also look at this another way. It is well known that the Zune MP3 player is coming out sometime in the future. MS has to adequately prove to the record companies that the DRM that they will use in Zune and the URGE music store are solid if they want to have access to the labels music libraries.

In either case, I don’t think this has anything to do with cost effectiveness of developement. If you release a patch today or on Patch Tuesday, it still requires developers to spend time to fix the problem, and therefore money.

And don’t get me wrong. I don’t like DRM (at least in its current incarnation), and I’m not trying to defend it.

tux • September 7, 2006 4:00 PM

@Patrick Farrell:

“Microsoft has made great gains with their patching system in the past few years.”

I disagree, I can’t see the code for each patch, so how do I know what it really does? How can I be a new patch won’t introduce another security issue? How many remote exploits exist in the history of Windows XP? From the first retail release on up, go to their site and count for yourself.

“WindowsUpdate is a pretty amazing program.”

I strongly disagree. Aside from the updates offered (none of which I or others can examine the source code of, can I?) at WindowsUpdate, there’s nothing else there that can compare, IMO, to Synaptic and Debian or Ubuntu’s respective repositories.

“Debian’s apt is the only system that does a better job at patch distribution (although I’ll admit I don’t have experience with BSD)”

Synaptic is an easy to use GUI for apt which any one (even grandmothers) can use to install updates AND additional software for FREE via point and click. In fact, there is NOTHING, IMO, that Windows offers out of the box that can compare to what Ubuntu Linux offers in regards to Synaptic and the repositories.

No need to chase down software from places like download dot com or tucows, just start Synaptic and point and click. I’ve set up plenty of grandpas and grandmas with Ubuntu Linux and they enjoy it more than they do Windows. Indeed, they refuse to use Windows after a few months with Ubuntu Linux.

“but let’s face it, Debian is dealing with high-end computer professionals. Microsoft is dealing with Joe Luser who refuses to learn anything about how a computer works, how it should be operated, what an operating system is, or why it should be patched.”

Which is why Ubuntu is easier for Linux newbies and once installed, is easier to use than Windows for most, and doesn’t come with a price tag.

tux • September 7, 2006 4:01 PM

@Patrick Farrell:

“Microsoft has made great gains with their patching system in the past few years.”

“WindowsUpdate is a pretty amazing program.”

“Debian’s apt is the only system that does a better job at patch distribution (although I’ll admit I don’t have experience with BSD)”

Which is why Ubuntu is easier for Linux newbies and once installed, is easier to use than Windows for most, and doesn’t come with a price tag.

n00b • September 7, 2006 4:08 PM

Sorry, but this article was misleading or misinformed garbage. For all this talk about Microsoft rushing out a DRM patch to the detriment of security fixes, why haven’t I received this update on my laptop which is running XP?

When there’s a vulnerability problem, I can go MSFT’s security site and see an update regarding the problem, workarounds, plans for a patch to be released, etc. This DRM fix? Well, as a user I wouldn’t even be aware of it except for all these self-referential links among Schneir and Engadget. Schneier would have us believe that Microsoft is putting this matter before everything else, but I must’ve missed out on Microsoft notifying me in 32-point letters, “YOU HAVE TO UPDATE THIS NOW!” All I see a notification that MSFT sent to Windows Media licensees. Wow.

Chris S • September 7, 2006 4:24 PM

Not being in a position to see the details, let me ask about another factor that might more clearly lay out Microsoft’s corporate feelings.

1) Is a WGA check required before downloading patches on Patch Tuesday?

2) Is a WGA check required before downloading the WM patch?

Bruce has discussed before the tradeoffs involved in the patching of incorrectly licensed versions of software. Be interesting to see how it is working out in this case.

Mike S • September 7, 2006 5:05 PM

It’s all about the money.

Microsoft already has our money, so why should they rush to get us what we need – A secure OS?

They’re still trying to get the money from the studios. The new Amazon movie downloads will be in MS .wmv format. So they are kissing the studios asses until they have locked them in like they’ve done to us.

root • September 7, 2006 5:21 PM

What we have here is a failure to communicate. You are not the customer. You are the product. Microsoft is selling you, the product, to the customer. The customer is Big Media. That’s why your homepage is MSN, your DRM is military grade, and your default email encryption doesn’t exist. The point is, either choose to be a product, pay Microsoft for the privelege, or don’t choose to be a product. But please don’t choose to be a product and then b*tch about it.

r34lr00t • September 7, 2006 6:34 PM

“The point is, either choose to be a product, pay Microsoft for the privelege, or don’t choose to be a product. But please don’t choose to be a product and then b*tch about it.”

Wrong, the whole problem is that most people didn’t know they had/have a choice. Do you know what a convicted monopoly is? Do you know the deals that went on (and what goes on now?) with OEMs?

Mandatory reading:
http://www.groklaw.net/articlebasic.php?story=20041228040645419

Danno • September 7, 2006 9:05 PM

MS actually batched patches because corporate customers asked for it. It allowed for better planning. This was a pretty clear cut request that was actively pushed on the team from customers. Cost wasn’t even brought up as an issue or concern internally. If it cost twice as much the same decision would have been made. I was part of the decision process back when I worked for them.

root • September 7, 2006 9:40 PM

“Wrong, the whole problem is that most people didn’t know they had/have a choice.”

I fail to see how the ignorance of others invalidates my statement. What about a TCPA compliant architecture benefits the pc buyer? How does encrypted audio to your speakers benefit you? It does not. It is, instead, an indicator that you are a product in the process of being delivered. Whether or not the product recognizes its own nature, my statement remains true.

Bryan • September 7, 2006 11:13 PM

I’m gonna ignore the ‘ominous DRM’ overtones here and just concentrate on the security patching process.

One of the reasons I still support Patch Tuesday is that the period of highest vulnerability these days is often the few days or weeks after MS has released a security patch. This is when we see the explosion of exploit attempts as hackers/crackers get hold of the patch, reverse engineer it, and begin scanning the net with their reverse engineered exploit. So now it’s a race to get patched before the bad guys complete their job of reverse engineering.

If MS were to dribble patch releases throughout the month, this would make it harder for users and IT departments worldwide to stay on top of patches, and cause more ‘days of vulnerability’ in any given month.

So. Excepting cases where the exploit is already making the rounds, MS should stick to Patch Tuesday. If the exploit is already being used above some definable (and hopefully fairly low) threshold, then yes, I would want MS to release the patch ahead of Patch Tuesday.

Chris N • September 8, 2006 12:20 AM

On the topic of Windows security, I recently wrote a Windows security configuration analyzer and have made it freely available at https://www.chrisnowell.com/windows%2Dsecurity%2Dtool

Please let me know what you think about it.

ac • September 8, 2006 12:24 AM

@Danno

That’s hilarious, considering we’ve been giving our TAM an earful every chance we get about how much we hate the monthly patch cycle and wish Microsoft would just release the patches when they’re ready and tested, like every other software vendor. Not that I don’t believe we’re in the minority, but I think it’s funny people would actually ASK for a larger window of opportunity for attackers.

From my perspective, any business that wants conveniently scheduled monthly updates can configure their own WSUS server to do just that, even if the patches are streaming one a day from Microsoft. That way, only these corporate customers are unneccessarily vulnerable to exploits for up to a month. Under Microsoft’s monthly patch cycle, the whole world is unneccessarily vulnerable to exploits for up to a month. And the virus writers are catching on–timing their attacks so that they won’t be patched for a month. Something’s got to give.

LRayZor • September 8, 2006 2:39 AM

@ Ed.T

The DCMA doesn’t apply as fair use is specifically excluded.

Kistel • September 8, 2006 4:06 AM

@tux:

“” “Microsoft has made great gains with their patching system in the past few years.”

Suppose you could read the source. What then? Would you really do that? Would you understand what and how it really does and how it interacts with the zillion other components, in order to say “wow, this would open up another security issue, I will not install it”? Even then, would you leave your current system as it currently is, open with a known security hole?

I believe that there are actually really few ppl out there who can read and understand a source patch, and they do it now and then. In fact, I can probably count them on one hand (i.e. they are less than 32 🙂

Back to the point: the root of the problem I believe is that an average Windows user blindly believes what MSFT says**. Currently the message is that “you have to install this patch for your own good” – so they install it. This is mostly true even for corporate users – they will not want to judge if a patch is worth installing or not. (And I did not even consider the possibility of a later security patch mandating the installation of this DRM crap.)

Linux/BSD/etc. users are generally more aware of what they should or should not use, so they don’t install DRM stuff in the first place.

**: btw this is probably true for all other closed-source systems (Adobe, Symantec, you name it.) Hell, it is probably true for OSS as well, since not many admins hold back apt upgrades. They will install them blindly.

bamaslammer • September 8, 2006 7:09 AM

“…trying to make digital files uncopyable is like trying to make water not wet.”

Profound……my new sig (attributed), in fact.

Anonymous • September 8, 2006 7:44 AM

“This clearly demonstrates that economics is a much more powerful motivator than security.”

Duh! Try:

This clearly demonstrates that ‘loss of our money and/or freedom to do as we want’ is a much more powerful motivator than ‘loss of your money and/or freedom to do as you want’

Paul • September 8, 2006 9:50 AM

Repeatedly we see proof that DRM hurts the average guy, and has little or no impact on criminals. And, that’s if you assume that DRM software is a legitimate software category, and not a violation of your constitutional rights.

I find the question of where Microsoft’s priorities and allegiances lie much less interesting (it seems pretty obvious) than why we are all paying the cost of something that shouldn’t be legal.

see: Copyright, DRM, and the Devil in the Details (http://thewaythingsare.typepad.com/antimarketer/2006/09/media_art_marke.html)

Colin • September 8, 2006 1:16 PM

There are a couple of other issues not considered here:

‘A patch’ that Microsoft issues isn’t actually one patch. Most patches have to be released in localized versions. Microsoft ships their major products in many dozens of languages and locales, meaning that every patch must be compiled and tested 150+ times over.

The faster a patch is shipped, the less time there is for quality control and compatibility testing. That has a measurable effect on patch quality. Most of the patches Microsoft has been forced to recall were ‘rushed’ out of the gate with insufficient testing.

Finally, it’s safe to assume that every patch any vendor issues is going to be instantly reverse-engineered. That means that if there weren’t active exploits in the wild before the patch was issued, there will almost assuredly be active exploits after the patch, sometimes within hours of the patch’s release. Most enterprise customers can’t install a patch that fast. They need to time to analyze and test it themselves.

Bruce’s basic point about economic incentives has merit, but here’s a question for discussion. Patches are a reality. No piece of software is perfect. As an admin, would you rather have a patch right now that may or may not work with your existing solutions and system, and that hackers will immediately analyze? Or would you rather wait a bit and have a patch that’s more robust and well-tested?

cesar branco • September 8, 2006 2:20 PM

It will always be possible to use a standard male – male audio cable connecting 2 pc’s, and copy all the music you want… or even use one of those record what’s on your sound card applications available by the dozen on the web. Remember when and how you used a tape recorder? A litle bit more work that’s all.

ac • September 8, 2006 5:23 PM

@Colin

Nobody is arguing that Microsoft should release patches before they are well-tested. For my part, I am arguing that it is simply not plausible that providing an adequate period of testing for, say, seven patches for seven different vulnerabilities reported at different times means that they will all complete testing on exactly the same day. That’s just nonsense and I can’t believe it. If ONE of those seven patches is done with its testing a day (or a week) before the others, then that is the point when that patch should be released.

Anything less than that would be really irresponsible on Microsoft’s part–having a fully-tested patch ready and waiting and then sitting on it for who knows how long because it’s not the right day of the month. And yes, that is what they do, unless you really believe that all of the testing periods for so many patches all align perfectly to the exact same day, month after month.

Stu • September 10, 2006 7:21 PM

This is just market forces at work…

solinym • September 11, 2006 4:00 AM

@Chris: “And recording industry is the only industry that I know which insults its paying customers as thiefs.”

Oh really? Perhaps you’ve never heard about Bill Gates’s venomous email that declared “you are all thieves!” back in the early days when programs were traded on tape. If he had said “most of you are illicitly copying”, then he would have not aroused such a backlash, but you know computer people… always nit-picky.

@Tom Davis: “Additionally, as stated above, there is an “escalating arms race” between developers and hackers. The ability of software vendors to win by a system of patching, is as also stated above, unlikely.”

Well, no. The point would be to have a development process that has a better-quality output and treats security like a goal and not a cost-center. There was a relatively common goal called “zero-defect software”, but it has fallen out of fashion. There’s something called “provably correct code”, and people who don’t know what it is seem to always somehow have a low opinion of it. Also there was a movement called “extreme programming”, which had two people looking at code while one of them wrote it, but it was not economic to divide your raw productivity in half. By changing the incentives, they might fall into favor again; like disco, except it doesn’t suck.

“The only way to provide a secure basis for computer security is to adopt the same policies observed by the OpenBSD development team, namely preemptive bug fixes and code scouring, a minimal facilities enabled by default policy, and attention to correct documentation at least as intense as attention to the actual code.”

The scouring is about the same as pairwise programming, if it occurs before release; otherwise it’s just racing the opposition again. But yes, I like OpenBSD.

“That same disinterest would undoubtably translate into a disinterest in prosecuting a legal case against Microsoft (or any other vendor) for a security failure. After all, buying a Mac is cheaper than hiring a lawyer”

Ah, but have you forgotten the trial lawyers? Class action suits? That’s a big economy of scale. Argue one case, make a few million. Getting named as part of it has never been easier. Just google a prescription medicine recently taken off the market; those ads you see may cost as much as $5 per click. Be nice now…

Marc Herbert • September 11, 2006 9:31 AM

I translated this to french.
http://marc.herbert.free.fr/microsoft_and_f_fr.html
Bruce, if you have any issue with this please tell me and I’ll remove it right away.

defenders of the faith • September 11, 2006 2:46 PM

@Someone who posted above:

“Suppose you could read the source. What then? Would you really do that?”

Repel shills with freedom

John • September 14, 2006 5:22 PM

“This clearly demonstrates that economics is a much more powerful motivator than security.”

If you want a system that you may use on your terms and to your enjoyment, switch to Linux.

People who cry GAMES and stick with Windows are just supporting closed shit like DIRECTX. If the industry didn’t rally around closed sourced DirectX, games would be on every OS.

menatekera • September 25, 2006 6:16 PM

The Engadget Interview: Viodentia, creator of FairUse4WM

http://www.engadget.com/2006/09/25/the-engadget-interview-viodentia-creator-of-fairuse4wm

Boso • September 26, 2006 4:57 AM

You’ve been proved right !! The Internet Explorer VML vulnerability that was reported by Sunbelt Software since the 21st of September has still not been patched by Microsoft, despite evidence that attacks have been made using this bug, and a third party patch being released. And Microsoft says that they will be issuing their own patch on October 10th, in line with their monthly cycle !!

http://www.cio.com/blog_view.html?CID=25183

menatekera • September 27, 2006 4:15 AM

Microsoft sues Viodentia (the creator of FairUse4WM) for copyright infringement???

http://www.engadget.com/2006/09/26/microsoft-sues-viodenta-for-copyright-infringement

Trev • October 16, 2006 7:35 AM

Its funny we will let our rights be restricted by accepting DRM, and at the same time be paying a levy on blank CDs.

http://www.techdirt.com/articles/20060227/0211220.shtml

So I should buy a song online and be thankful I am granted permission to play it on one PC between 6 and 9 pm unless I lose the license (because I had to reinstall a crashed OS) in which case the song is gone.

Ya license could be backed up etc my point is DRM process is not easy or simple.

Also what do I backup my license or OS on … a blank CD which has a levy going to Record companies because … I was copying music?

I think most people want to pay the $ to the artists, just don’t want to pay again ( $ or inconvenience ) for the same song being listened to in the car, mp3 player etc.

Microsoft and FairUse4WM

Comments

Leave a comment Cancel reply