Jan/091
This just in: unpatched computers are unsafe
TweetI meant to post something about this five days ago, when this story was fresh. About five days ago, Slashdot reported that 1 in 3 PCs are still vulnerable to an attack on the Windows Server service that runs on all computers running Windows XP or later. Slashdot runs a snippet from the article where a CTO claims that the patch cycle is too slow, and then questions Microsoft’s Patch Tuesday as no longer being acceptable.
At first, you might think they have a point. Then you read the article and find that this particular worm is actually the same one that was patched almost three months ago. In fact, when Ars Technica fretted in early December that many PCs were still unpatched, I wrote a post suggesting managed PCs for most users so that updates would be handled automatically.
Another thing that’s clearly wrong about this argument: this flaw was patched ON A THURSDAY. Not only did Microsoft patch this months ago, they patched it outside of their normal patch cycle. And yet, people claim that Microsoft didn’t do enough to fix this flaw, because 1 in 3 people have not updated their PC in 3 months.
Security flaws happen. When they happen, the software producer can either leave it unpatched or patch it. In Linux, when flaws are discovered, it’s true that they are normally patched up very quickly – but how often do Linux patches break existing functionality? Even Apple can’t get this right – every patch they release seems to break something, and Apple has the one of the slowest patch cycles out there. (By the way, read that article: Microsoft is fastest.) Microsoft seems to have mastered the art of pushing patches out quickly but making sure they’re sound and play nice with everything else (and lately, they’re avoiding the need to patch at all).
Patch Tuesday works, for people who know what they’re doing. Even if people don’t, would it really help if Microsoft was releasing patches daily? Would people actually click that icon once a day even if they don’t click it in three months? Like many supposed problems with Windows, the main issue here is that Windows attracts the uneducated computer users (Apple does too, but to a far lesser extent). If the masses of people that used Windows suddenly switched to Linux, assuming they got their system to work, eventually you’d see articles on Microsoft blogs with titles of “Linux: vulnerable to a brute-force attack on user accounts with two characters or less”.
Slashdot is biased, but at least most of the time they have a valid opinion. This time, they were way off.
About Jimmy
Jimmy is a 2009 graduate of Case Western Reserve University in Cleveland, OH, and currently works as a software engineer in a Columbia, SC startup. He mostly writes about baseball (particularly the Cleveland Indians), politics, movies and programming. He also enjoys a cup of great coffee and a good book or movie.
More »
January 21st, 2009
“Apple has the one of the slowest patch cycles out there. (By the way, read that article: Microsoft is fastest.) Microsoft seems to have mastered the art of pushing patches out quickly”
To be fair, Microsoft also has a considerable amount of practice at pushing out emergency patches.
“the main issue here is that Windows attracts the uneducated computer users”
See, now we’re in agreement
“Linux: vulnerable to a brute-force attack on user accounts with two characters or less”
[18] [mrozekma@etudes-1 ~] % passwd
Changing password for mrozekma.
(current) UNIX password:
New UNIX password:
BAD PASSWORD: it is WAY too short
New UNIX password: