Early Warning For Microsoft Premium Customers

techmuse writes "According to internetnews.com, Microsoft is giving its premium customers early warning about vulnerabilities and patches. Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk than premium customers as a result."

Elite.. microsoft and govt

[Davak]

The U.S. government's Computer Emergency Readiness Team (US-CERT) has also been heavily criticized for providing security advisories to paying customers ahead of coordinated public release.

Microsoft and the government using the same strategy! I am shocked! (sarcasm mode off)

Other juicy information from the article:

There won't be a patch this month for a "highly critical" bug in Internet Explorer browser's drag-and-drop feature.

So we are suppose to buy access to problems that won't be patched in a timely fashion? You've got to be kidding me.

The only justification that I can see to this might be that microsoft wants to release it to their "elite" first... so that work-arounds and patches might be generated by the community instead of within microsoft. Thus, trying to get one of the open source benefits...

While that's a good theory... I bet it's really just microsoft praying on the security worries of companies. Considering I run a Microsoft network... that's a sad conclusion for me to have to make.

This is a big deal?

[Control+Group]

At the risk of sounding like a Microsoft apologist, I really don't see the big deal, here. It's not like they're releasing patches only to premium subscribers, they're providing earlier notice of what's going to be covered in the next security bulletin. This doesn't affect the timetable for the release of vulnerability information or the release of patches. This is just MS saying "heads up, we're going to have a patch for a vulnerability in Office XP rolling out in three days."

*shrug*

Doesn't sound like it affects overall computer security, really. It's nice for the organizations that sign on, so they have a couple more days to plan outages as necessary. It doesn't affect the vast majority of home users at all (I certainly don't plan my downtime, it just happens when I feel like it).

I can see this being irritating to customers who are unwilling to pay yet another Microsoft tax for early notification, but I don't see that it's some kind of horrible, evil practice, either.

Change one sentence in the summary...

I would re-write one sentence in the summary as:
"Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk FROM premium customers as a result."
(changed "than" to "FROM")

Best quote from article

[Portigui]

This is a quote from Gartner security analyst John Pescatore and it pretty much sums up my thoughts on this:

If Ford decided to issue recall notices for faulty brakes only to people who paid for extended warranty, that won't fly. That would be a horrible thing to do.

In a nutshell, is this not what MS is doing?

Re:Best quote from article

[Chess_the_cat]

In a nutshell, is this not what MS is doing?

No. Everyone on the list finds out the same information. This is just a way to sort the list. No biggie.

Re:Best quote from article

[MikeMacK]

Actually, if you have faulty brakes, you may fly. It's kinda like what MS is doing. It's more like, they are telling the people with the extended warranty about the faulty brakes before other customers, but they all will eventually get new brakes. I guess the point would be that if you knew you had faulty brakes, perhaps you wouldn't drive.

Re:Best quote from article

[wankledot]

The more things that are controlled by software in the world (warships, hospital equipment, critical infrastructure, etc.) the greater chance there is of software killing someone.

However, anyone who uses and relys on software to keep someone alive, or keep something from killing someone should not be waiting for the latest IE patch to make sure their shit works.

except...

[Ignignot]

Bugtraq is almost always ahead of microsoft where it comes to vulnerabilities in their software. Why in the world would I pay Microsoft to tell me what might be wrong tomorrow when bugtraq will tell me what's wrong today? Does anyone have an experience where MS came out with vulnerabilities first?

So what? News will still spread quickly

[mdpowell]

That is silly. Are "premium customers" going to be bound by some NDA not to talk about the vulnerabilities? What's to prevent some news outlet from becoming a "premium customer" and then publishing everything they hear five minutes later. But now MSFT will look bad (worse) because the press is announcing there flaws instead of them.

This is a security focus?

[trilks]

M$ says they are focusing on security, but how does giving advance warning only to subscribers support security? It's the average user who doesn't know how to patch their computer that is at the most risk (and can also propogate the most damage to the rest of us). And the average user won't be a premium customer.

Does it seem like M$ is saying one thing and doing another?

Re:Extortion

[Control+Group]

Oh, for crying out loud.

Always with the car analogies. This isn't Pontiac only recalling and replacing a defective part if you pay more. This is Pontiac recalling and replacing a defective part on exactly the same schedule for everyone, but telling premium customers three days earlier "hey, we're going to be recalling something on the 2005 GTO in three days. Get ready."

This just isn't a big deal.

Re:so how do it get this status

[wideBlueSkies]

>>Security through $$$

You mean "a false sense of security through $$$", right?

wbs.

If only I was a slashdot subscriber...

[DoubleDownOnEleven]

Then I could have commented on this article earlier on, and got a better score!

That's not fair, slashdot should give their information out freely to everyone...

Oh wait, they do, they just treat their paying customers a little better...

I really don't see this as much of an issue. The "premier" customers don't get the patches any sooner. They get an advance heads-up on what the patches will contain. Why will this affect anybody?

According to the article: Microsoft insisted the information provided in the notice was "very basic in nature" and intended only to provide general guidelines concerning the maximum number of bulletins that may be released, the anticipated severity ratings, and an overview of products that may be affected.

Why Microsoft gets attacked on Slashdot

[0x0d0a]

Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.

The drooling paranoia was built because of years of times when Microsoft really *did* screw over customers or competition in quite an unethical manner, like the DR-DOS application compatibility, or the IIS Netscape Navigator deprioritization. Microsoft generally didn't get in trouble for its misdeeds, so now IT folk angry after years of poor treatment have simply started attacking Microsoft for all sorts of things that really aren't very bad at all. Microsoft is simply paying back in installments for earlier nasty deeds.