So if Microsoft is given the choice to protect its users from the latest flaw being used by online attackers to compromise their data and systems or to protect the latest Britney Spears song, which do you suppose the software giant would choose?
That’s pretty much the question that Bruce Schneier poses in his latest column comparing the amount of time the software giant normally takes to patch flaws in its operating system and the amount of time the company took to patch a flaw in its digital-rights management system that could have allowed users to strip away protections from any file encoded in Windows Media version 10 or version 11.
So let’s compare:
| Flaw type | Time to patch | Source |
|---|---|---|
| Average Windows flaws | 135 days in 2005 | Washington Post |
| Publicly disclosed Windows flaws | 46 days in 2005 | Washington Post |
| Fastest Windows patch (WMF flaw) | 8 days in January 2006 | SecurityFocus |
| Time to patch DRM flaw | 3 days | Bruce Schneier |
The first question that comes to mind is whether the times are comparable. A flaw in DRM allows attacks on valuable files, but many security flaws patched by the company could allow an attack on a customer’s valuable files. Another aspect of the patching equation is how likely the flaw is to result in damage. Microsoft for example patches more quickly when a worm is indiscriminately spreading amongst Windows systems. Looking at it this way, it would seem that either Microsoft places higher value on the data–such as music and videos–protected by its DRM and/or believes that users are more likely to attack the copy protection than be attacked by a program using a security flaw.
In the case of its copy protection, Schneier makes this point in terms of the economics of the situation, saying that corporate money demands that Microsoft ensure the security of its copy protection system. In most cases of a publicly disclosed vulnerability, Microsoft patches faster than when there is no pressure. In fact, in many ways, the major variable in Microsoft’s speed of patching appears to be the pressure exerted on the company by its customers. In other words, the company’s DRM clients exert more economic pressure on the company than Joe Consumer.
The question I would pose is whether this is an acceptable state of security or should the economic rules be rewritten to insure that securing users is just as important as enforcing restrictions on a collection of bits?
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
You must log in to post a comment.