If you really want to see Microsoft scramble to patch a hole in its software, don’t look to vulnerabilities that impact countless Internet Explorer users or give intruders control of thousands of Windows machines. Just crack Redmond’s DRM.
The company is not a public charity, and if the internet suffers, or if computers are compromised en masse, the economic impact on Microsoft is still minimal.
Microsoft is in the business of making money, and keeping users secure by patching its software is only incidental to that goal.
There’s no better example of this of this principle in action than Microsoft’s behavior around the vulnerability in its digital rights management software PlaysForSure.
So, if Microsoft is slow to patch a bug, people complain…. and if they are quick to patch a bug, people still complain. Hmmm… a little bit of a double standard don’t you think?
Could there be other reasons for the difference in response time? Like… different departments, alot less testing?
Oh yeah, Microsoft is just evil so it had to be about money.
@1
The difference is that DRM patch is critical from MS perspective and not from the users. While other patches that fixed holes in the security of the users didn’t get that priority.
#1, RTFA. It makes quite the point about the motivations behind a quick patch vs. a slow patch.
#2 & #3 I’m going to have to agree with #1 on this one.
FTFA “Since 2003, Microsoft’s strategy to balance these costs and benefits has been to batch patches: instead of issuing them one at a time, it’s been issuing them all together on the second Tuesday of each month. This decreases Microsoft’s development costs and increases the reliability of its patches.”
M$ did this because IT Admins were up in arms about having to being in constant test and fix mode. M$ did this to help end users plan to do testing and fixes. M$ does still release patches on non second Tuesdays if the treat is bad enough.
FTFA “So Microsoft wasted no time; it issued a patch three days after learning about the hack.” I don’t see the update on M$ update site. So will it be released on second Tuesday with it’s normal update cycle?
BTW Apple does the same thing with iTunes.
@4 The whole point is that this patch was released ahead of the regular “second Tuesday” patch.
http://www.dailytech.com/article.aspx?newsid=3999
>digital rights management software “PlaysForSure.”
Shouldn’t it be called “PaysForSure”?
The command line version of FairUse4WM’s predecessor, drmdbg, has been around for a over a year (Spring 2005.) The increased threat to Microsoft’s profit was the working GUI tool FairUse4WM. I say working GUI tool because “Drmdbg_front_end.exe” has been around for a long time too. It was much of a kludge and stil required the dreaded CMD prompt. Microsoft patched this hole because of the negative PR factor: “MS DRM hacked!” As if playing movies the consumer *had alrady paid for a license to use* was some type of global and eternal hack of the century.
MS had been looking at this particular hole for over a year and finally the bad PR on the new tool increased the necessity to patch. The increased bad PR resulted no doubt from the introduction of an anti-MS-DRM tool that reporters could figure out how to use. 😉
Hi everybody!
Can the open source software movement defeat (or severely cripple) Microsoft in the marketplace? Thank you 🙂