Two schools of thought exist in the world today as to how software developers should address security problems. There is the “trust me” school, with Microsoft as its leader, and the “trust us” school of the open-source movement. Either can work, provided there is a substantial effort to make it work.
But which works better? Open-source proponents say having a broad volunteer effort and available source code means that fewer problems slip through and that those are dealt with quickly. Microsoft says its doing everything possible, including spending scads of money, to solve the problems its customers face.
But sometimes Microsofts efforts seem only half-efforts, such as the companys admission Tuesday that users of its Windows Media Player 9 Series remain vulnerable to the threat of malware infection. And in such cases, one has to wonder, “What if?”
For example, what if the Windows Media Player group wasnt off in its own world and was better integrated with the rest of Microsofts security effort? Might that have improved the companys responsiveness when confronted with a security hole in both the 9 and 10 versions of the player?
The problem involved DRM (digital rights management) and the ability of bad guys to spoof users into installing malware on their systems. But instead of solving the problem, Microsoft seemed to hem and haw with the issue. When first alerted, Microsoft initially denied that the problem even existed.
Once it accepted responsibility, Redmond focused not on the largest number of potential victims but on patching its most current software. Instead of helping the vast number of vulnerable WMP 9 users, Microsoft did a Windows XP fix and, for a while, seemed to have declared the matter closed.
Microsoft seems to place a greater emphasis on solving what Ill call “enterprise” security gaps than on those in more consumer-oriented products such as Windows Media Player. Some of this is because the server, Internet Explorer and operating-system groups face many more security issues than the group responsible for Media Player. That could also explain the disorganized response, which left some security analysts shaking their heads.
I dont mean to make too much of a single incident, though the bungled response tells us that Microsoft needs a better companywide response to security problems. I wont offer an organizational lecture, but Id hoped by now that all parts of Microsoft would be more responsive.
Theres no question that Microsoft will fumble sometimes, and the further a problem resides from the normal range of vulnerabilities, the more disorganized the response may be. Windows Media Player seems to be an example of this.
As for the timing of patching WMP 9 versus 10, Ill just say that Microsoft gives the impression that it is trying to “encourage” customers to buy new software by letting them sway in the breeze for a while when the older software needs fixing.
For example, the forthcoming Internet Explorer 7 includes security fixes for post-XP SP2 (Service Pack 2) users, but nothing for users running earlier operating systems. The was also the period of time when Microsoft seemed willing to withhold all security fixes from pirated versions of XP as an incentive for people to “upgrade” to legal software. I dont support pirating software, but this again shows how Microsoft considers security fixes a way to drive users onto more current software.
There obviously is some limit to how far back Microsoft should be expected to go with security fixes. Its fine with me that Windows 95 users are now on their own. But there are still many Windows 98 and Windows 2000 users who just havent been persuaded to enjoy the wonders of XP, which usually involves replacing their current hardware.
This is not one of those “Microsoft evil, open source good” columns. Still, its likely that users of open-source software wouldnt be left hanging quite as often as Microsoft users are. After all, if fixes arent forthcoming, the open-sourcers have only themselves to blame.
Microsoft customers, dependent as they are on Redmonds willingness to solve their problems, have no do-it-yourself alternatives. That is, save going to open source, which on days when Microsoft drops the ball on fixing important software, doesnt seem like such a bad idea.
Redmond needs to accept that all users matter, even if they havent swapped their Windows 98 or 2000 machines for XP, and that all of them deserve the full range of patches they might need. After all, is it really their fault that Microsoft hasnt offered them a compelling upgrade?