Slashdot Mirror
Microsoft to Offer Patches to U.S. Govt. First
Elitist_Phoenix writes "Reuters reports that 'Microsoft is to give the U.S. government priority in fixing security holes in Windows and other software, The Wall Street Journal reported on Friday. Under a plan to take effect later this year, Microsoft will give the U.S. Air Force versions of software 'patches' to fix serious security vulnerabilities up to a month before they are available to others.' Yet another attempt to fight off impending doom, by trying to keep the government away from open source?"
Man, people really want Microsoft to become a footnote in history.
The Internet is full. Go Away!!!
what that doesn't make sense. You're not getting the patches any earlier than they are coming out now. What MS is doing is delaying the availabilty of these patches to the public to make the DoD feel special. If MS gave its patches out any earlier than they are now then you will be getting less thoroughly test patches, which could lead to harming your systems more than NOT applying the patches.
It isn't really an extra month. How are they supposed to make sure the info on these vulns doesn't get leaked to shady communities? Or perhaps reported by someone who told someone else who told it to a shady community? Or reported by someone who believes that once some people know, everyone should know, and who will just go full-disclosure first, or soon afterwards. I imagine it will just push more people to post full-disclosure before even contacting Microsoft. These people are doing MS a favor by even reporting these vulns and a lot will not appreciate this policy.
That was my first thought. Now my network is going to be exposed for a month after Microsoft tells a select class of customers about a vulnerability. Oh, well, not to worry: I'm sure they'll all be trustworthy types, and that's 30 days of bliss before I have to do anything about it...
First everybody (really, mostly IT professionals trying to balance benefit of patching versus risk and cost of patching) berated Microsoft for releasing patches too often. So, Microsoft responds and releases them once a month. OF COURSE that means they are holding onto patches for up to a month. The number of ignorant posts here that seem to think that this is an announcement that they are going to START delaying patches is just unbelievable. The industry already made them do that.
This is just the natural next step in the social evolution of the situation. Now we've got the users who have a different benefit/risk equation demanding release of patches as soon as they are available. Its just the Air Force now, but it will eventually become a selectable option so that we can all choose our own poison.
Personally, I've never had a problem with applying a Microsoft patch despite having 100s of applications on my machines including several large suites and a large proportion of open source. The problems seem to come mostly to people using low quality drivers or applications from a few companies that have questionable SW design practices like replacing core DLLs. I'd like the Air Force's option and suspect I'll eventually get it.
You are referring to active sigint, while some branches may take the short lived opportunity to diff the changes and work back to the exploit, this stunt is politically driven, not the stuff of conspiracy theory unfortunately.
NSA releasing a worm is not an option since it would, without question, infect allied systems. This is well beyond the mission statement - and the law.
Active sigint is not done lightly, or quickly.
Microsoft gets a nice tidy chunk of near free cash from the NSA each year, think money and applied pressure to key politicians.