Opinion: Old and insecure third-party applications are the vector in more and more compromised systems. Here are some radical ideas for addressing the problem.
This could be the first in a series of probably intermittent columns on things Microsoft should be doing. Its important to note that starting a few years ago Microsoft finally got religion on security, and it does a heck of a lot for its customers and the community at large. But it could do more.
One important thing the company could do that would benefit just about everyone is to vastly expand the role of Windows Update to support third-party applications. Its a dangerous thing to do and its easy to see Microsoft execs thinking that all it does is help the competition. The truth is that it will help everyone, Microsoft included, by making Windows systems safer in general.
This is an old idea that I discussed with others at least a couple years ago, but I was reminded of it by a supposedly leaked feature wish list for Windows 7 on Neowin
. At least I think thats whats meant by "Extended Windows Update to cover 3rd party application updates and 3rd party driver updates." Actually, Windows Update already includes many third-party driver updates and a few third-party application updates, although I believe only for applications that ship with Windows, such as Flash.
If you look at the last few years of Microsoft products and the vulnerabilities in them, its getting to be pretty slim pickings, but even if you think there are more than enough vulnerabilities in Microsoft products, you still have to contend with the fact that users who follow Microsofts updating system, which is on by default for its new products, are generally protected faster than exploits get a chance to attack them.
Thats why its increasingly likely these days that successful attacks happen through old third-party applications with old vulnerabilities in them. These vulnerabilities may themselves be patched, but the update system isnt as automatic and in your face as Microsofts.
What if third-party application vendors could design their applications to update through Windows Update? Microsoft obviously wants to have some say over quality control and security of the update system, but its not right that it should have complete control over third-party updates to its own applications. Instead, it should be something like a custom hosting service.
What are the Webs 12 scariest applications? Find out here.
Vendors could apply for a section on the Windows Update site (imagine winzip.windowsupdate.com). Microsoft can define the formats for the updates, defining what files to change and how. It can issue digital certificates to the vendors, hold the public keys and cross-sign the code itself so that it and users can confirm that the updates came from Microsoft and a vendor approved by Microsoft. The company could define standards for severity rankings for vulnerabilities and the updates (in fact, it has such standards already, but its probably worth revisiting them). It could even set testing requirements for updates and perhaps require that Microsofts labs test them before they go up on the site. Finally, I think it would be fair for Microsoft to charge a fee to put updates on the Windows Update site.
For the same reasons that they like Microsofts monthly schedule for their own updates, businesses would like this approach. It would help them plan updates on a regular schedule and organize updates through a simpler process.
Some of the decisions are difficult; a vendor should get to decide when its application needs an update, but Microsoft needs to have some control over what goes out on Windows Update. Perhaps a compromise is a board of supervisors for Windows Update that makes the key decisions on what goes out on the site and when, and also what goes out on the critical update list (and therefore on Automatic Updates). It might be reasonable, at least for a while, for Microsoft to have a majority on this board, but at least there would be a formal process for hearing views, and any member company should get at least some of the proceedings.
In the end, because they were on Windows Update these vendors would have their apps updated with the same urgency and automated nature as Microsofts. The same changes would likely make the updates available to Windows Software Update Services and other channels. Microsoft wins, app vendors win, users win. Sounds like a win-win-win to me.
There is exactly one really big problem with this proposal, probably the reason it didnt happen years ago: testing. Microsoft does an extraordinary amount of testing for every update it puts out, and even then problems show up now and then. Making vendors share in the testing burden, at least the cost of it, is the only way for this to happen. When you think about it, I bet a lot of vendors would actually be enthusiastic for a chance to get testing like that. Maybe its possible.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack
More from Larry Seltzer