RE: Microsoft and Security

["Alun Jones" <alun () texis com>]

Justin Wheeler <mailto:jwheeler () datademons com> wrote on Monday, July
05, 2004 10:58 AM: 
> The simple argument I was making was that if MS' "testing
> process" is what
> keeps patches from coming out in a timely manner, perhaps they should
> actually be of decent quality.  When you're getting patches
> that are both
> slow to release, as well as adversely affecting the systems
> they're being
> installed on, MS has met neither of their agends.

It's not "either perfect quality assurance or immediate patching", sadly.

We spend so much time in our binary world, that we forget that real and
complex human processes are not binary - there are a large number of shades
of grey.

The immediate patch carries maximum risk, and the perfect patch requires
unconscionable amounts of time to verify its correctness.  Between those two
endpoints, however, you'll find a huge variance in what is acceptable risk
of damage from a patch versus acceptable delay to test.  And unfortunately,
neither of those two values is a) measurable, or b) the same for each user.

It's a balancing act, and one performed without a net.  And we've only
touched on two of the variables in this balance.  There's also third-party
software, whose vendors tend to get a little tetchy when their software
doesn't work the same way it has for years, even if it's because they're
relying on undocumented and unsecure behaviour.  There's probably a dozen
other variables that you need to consider.  If you've ever had to respond to
a security vulnerability (perhaps if you've had to respond to more than
one), you'll understand the way that the process works, and that a rushed
untested 'patch' is worse than the worst tested patch.

A tested patch will at least work on the majority of systems.  An untested
patch runs a high risk of not working at all.  The problems you've pointed
to are issues with outliers - usually customers running specialised software
- not widespread damage to people with mundane configurations.  Usually such
outlier customers would be the ones most able to test their own
configurations prior to rolling out any patch, though, and I would always
suggest that those who can test, should test, any patch or upgrade in their
own environment prior to patching.

Microsoft employs people who care about producing good software.  We're all
indoctrinated from day one that our software is used by everyone - our
parents, our neighbours, our children...  It's perhaps a unique situation
compared to producers of the other OSs, where the users are usually limited
to particular sections of the community.

I really don't think you'll find much truck with the idea that Microsoft
employees are happy to leave their mother's home machine, or those of the
general public, open to infection.

Alun.
~~~~