Monday, September 11, 2006

Security Vulnerabilities vs Economic Vulnerabilities

A interesting post here by Bruce Schneier on the irony of how Microsoft approaches its security patching - with Patch Tuesday every month, as opposed to how they handled a recently exploited flaw in their Windows Media Player, which saw not so much a security vulnerability being xposed but an attack on the profitability of a Microsoft product/service.

This post highlights obvious concerns with the way Microsoft addresses known security vulnerabilities with a release of security patches once per month, leaving us all exposed for up to a month leading up to those releases, however managed to release a patch to Media Player, when the vulnerability represented not a security threat, but an economic threat to MS.

Of course, this will have the anti-MS brigade up in arms, pointing at MS's greed, irresponsibility, etc, etc. However as Bruce points out, you can't really be surprised. Economics will always win out when setting priorities at any company - whether it's a one man band, or Microsoft.

It is fun to point out the irony of this incident. "How come they can patch this so quicly when we have to wait a month for patches that don't hit their bottom line so quickly?" But we must bare reality in mind. We are talking about one patch, that was completely motivated by protecting revenue of a commercial enterprise. Of course they patched it. Should this product wind up needing an endless supply of "3 daily" patches, it's commercial viability will quickly go down the toilet and they'd scrap it altogether. A fate that the world cannot afford for the hundreds of other products that are updated every "Patch Tuesday". So I for one, believe that MS have the balance about right - a result many may argue is the product of market forces at work.