Patch and P(r)ay?
After years of customer feedback, Microsoft has indeed gotten better about writing its security advisories in plainer English and less geek speak, but still I find myself sometimes glazing over potentially significant details buried within the notices.
Take this little morsel for instance, tucked into Redmond's latest advisory about how the few hundred or so distinct threats attacking Windows users through a critical unpatched software flaw "are limited in scope and not widespread."
"If you are a Windows OneCare user and your current status is green," the advisory reads, "you are already protected from known malware that uses this vulnerability to attempt to attack systems."
I had to read that line twice, because I couldn't figure out how I missed it the first time round. I myself an not a user of OneCare, a beta service Microsoft is rolling out to provide antivirus updates and other unspecified protections against spyware and all types of malware. But I might be one soon, if only to learn what else Microsoft could be doing to protect me and my five Windows PCs from assault from these limited threats.
Microsoft has let it be known that it plans to charge for this service at some point, but it hasn't been very specific about when it would start doing that and how much the service would cost customers.
Microsoft said Tuesday that although it had developed a patch to fix the current problem, it would not release it to the public for another week. Rather, it said, the patch needed to undergo quality testing to make sure it didn't break other applications -- particularly complex, custom software commonly found in businesses.
In making this choice, Microsoft is behaving like a perfectly rational corporation. They'd rather not get sued by companies accusing them of ditching quality control to rush a patch out the door just to save a few days, an event that would still earn them as much bad press as they would have inevitably received having waited it out through the testing process.
But now I am left wondering what other sorts of protections Microsoft could be giving its OneCare customers against this threat that it is not also providing to the public.
Well, what does Microsoft have to say about it? From their OneCare description page: "Windows OneCare provides continuous feature updates to subscribers, providing you with the latest technologies to help protect you from emerging threats. If you're worried about a new virus or other threat, you can check for updates yourself with a single click."
Fair enough. So we're talking about antivirus and anti-spyware updates, right? Well, maybe, but not so fast. I spotted this teaser over at -- where else -- the "Microsoft Windows OneCare Blog":
"While the exploit was quickly understood, and Windows OneCare sent updates out within hours of the vulnerability being found in Windows, this kind of issue is a reminder that real-time protection is critical. Windows OneCare is much more than just antivirus software of course, but this example shows why this kind of protection is critical to our overall mission of taking care of your PC."
"Windows OneCare is much more than just antivirus software"? In what way? Security Fix would like to know. Did Microsoft silently provide OneCare users the registry hack that it recommended Windows 2000, XP and Server 2003 customers manually apply as an interim (albeit only moderately effective) fix for this larger problem -- which by the way technically is not a security flaw but a feature of Windows going back to the creation of the operating system?
If Microsoft wanted to, and if its customers consented, it could easily tell which OneCare customers were likely home users and therefore less likely to have technical conflicts with a given patch. What is to stop Microsoft from allowing those paying customers from receiving the patch before everyone else?
But that is, of course, just a silly, hypothetical situation. Microsoft is clever enough to realize that such a move would smack of asking people to pay for more timely security patches.
So, just how does OneCare differ from a regular antivirus service? Or does it? Referring again to Microsoft's advisory, we see that antivirus is best thing going around right now to protect users from these threats: "In addition, antivirus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures."
I have to take issue with Microsoft on that point. If anything, the opposite has been shown to be the case. Andreas Marx of AV-test.org, who has routinely tested the response times of nearly two dozen of the most popular antivirus products against each new wave of malware to exploit this flaw, has found time and again that for many, many hours, far too many antivirus products fail to detect the new threats. What's more, Marx found that in cases where the threats were detected, it was usually only after they had fetched and dropped their malicious payload, not when the little buggers first broke into the system.
Granted, Windows OneCare was not among the products that Marx tested, so perhaps this criticism is off base. In the end, I find myself scratching my head and identifying with the sentiments of the last reader to comment on the Microsoft OneCare Blog, someone who simply signed their name "antioed."
"While I think it is great you are developing this software I think parts of it are long overdue in Windows and I have to admit I am a little disgruntled about aspects of how Microsoft has handled security in Windows thus far. While this software gives added security capabilities for antivirus and spyware beyond the scope of what should be included with the OS I do not see why someone who has paid for an OS license should not be able to get the same level of realtime protection for plugging up and monitoring vulnerabilities until patches can be applied. Advanced security features should be included with the OS and I was quite pleased with the security improvements in [Service Pack 2]. The antivirus and spyware are not Microsoft's fault and therefore fair game for charging a fee ... are there any plans to integrate realtime vulnerability monitoring and protection capabilities in the Security Center constructs built into XP SP2? If Microsoft cannot get a patch out they should at least be able to plug and monitor the hole easily, automatically and in real-time ... free. It's not the user's fault."
One final note: It appears we now have at least one more unofficial patch to fix this widespread Windows flaw, this one courtesy of a Paolo Monti from San Diego-based Eset, which makes the NOD32 line of antivirus products. Monti says no reboot is required, and that the gratis patch works on Windows 9x and Windows ME (the other unofficial patch Security Fix mentioned this week does not claim to work on either).
Eset is a respected company with a proven product, so I don't doubt this patch does what it says, but then again I don't know anyone who's vetted it, so use at your own risk.
OK, I lied: This is the final note. Microsoft says Windows users who have questions, concerns or problems surrounding this issue can call 1-866-PCSAFETY. Keep in mind, however, that if if you do apply this third-party patch, Microsoft will in all likelihood refuse to help you return your PC to its previous pre-patch state should the patch somehow muck it up.
Posted by: Stanley Krute | January 5, 2006 5:22 AM | Report abuse
Posted by: Woofbite | January 5, 2006 6:31 AM | Report abuse
Posted by: Shah (Mauritius) | January 5, 2006 7:21 AM | Report abuse
Posted by: Shah (Mauritius) | January 5, 2006 7:33 AM | Report abuse
Posted by: Gary Dolan | January 5, 2006 8:07 AM | Report abuse
Posted by: Michael Young | January 5, 2006 8:25 AM | Report abuse
Posted by: John Clevenger | January 5, 2006 8:28 AM | Report abuse
Posted by: J'Klmno Mac | January 5, 2006 8:33 AM | Report abuse
Posted by: Mathias | January 5, 2006 8:52 AM | Report abuse
Posted by: Michael Young | January 5, 2006 8:55 AM | Report abuse
Posted by: Securio | January 5, 2006 9:15 AM | Report abuse
Posted by: Michael Young | January 5, 2006 9:32 AM | Report abuse
Posted by: chalco | January 5, 2006 9:53 AM | Report abuse
Posted by: Report | January 5, 2006 10:02 AM | Report abuse
Posted by: Jimmy | January 5, 2006 10:23 AM | Report abuse
Posted by: Teresa Binstock | January 5, 2006 10:23 AM | Report abuse
Posted by: Jimmy | January 5, 2006 10:24 AM | Report abuse
Posted by: H. Carvey | January 5, 2006 10:33 AM | Report abuse
Posted by: Amrinder | January 5, 2006 11:12 AM | Report abuse
Posted by: bsimon | January 5, 2006 11:26 AM | Report abuse
Posted by: Bobby | January 5, 2006 11:28 AM | Report abuse
Posted by: bsimon | January 5, 2006 11:54 AM | Report abuse
Posted by: fed_up_with_MSFT | January 5, 2006 12:07 PM | Report abuse
Posted by: Mac Inferiority Complex | January 5, 2006 12:13 PM | Report abuse
Posted by: David Huff | January 5, 2006 12:33 PM | Report abuse
Posted by: bsimon | January 5, 2006 12:35 PM | Report abuse
Posted by: mbuel | January 5, 2006 12:39 PM | Report abuse
Posted by: Karl W. | January 5, 2006 12:45 PM | Report abuse
Posted by: H. Carvey | January 5, 2006 1:15 PM | Report abuse
Posted by: HWyss | January 5, 2006 1:16 PM | Report abuse
Posted by: Fedora Favor | January 5, 2006 1:36 PM | Report abuse
Posted by: Ken L | January 5, 2006 2:00 PM | Report abuse
Posted by: Bk | January 5, 2006 2:11 PM | Report abuse
Posted by: RON F. | January 5, 2006 2:34 PM | Report abuse
Posted by: Bryan J. Smith | January 5, 2006 2:39 PM | Report abuse
Posted by: KHull | January 5, 2006 3:06 PM | Report abuse
Posted by: Casey | January 5, 2006 3:09 PM | Report abuse
Posted by: H. Carvey | January 5, 2006 3:18 PM | Report abuse
Posted by: OldGeek | January 5, 2006 3:35 PM | Report abuse
The comments to this entry are closed.