Slashdot Mirror

← Back to Stories (view on slashdot.org)

DRM Hole Sets Patch Speed Record For Microsoft

Posted by ryuzaki0 on from the great-priorities dept.

puppetman writes "Wired columnist Bruce Schneier has an article up called 'Quickest Patch Ever', about a patch that was issued within three days to fix a vulnerability in Windows Digital Rights Management (DRM)." From the article: "Now, this isn't a 'vulnerability' in the normal sense of the word: digital rights management is not a feature that users want. Being able to remove copy protection is a good thing for some users, and completely irrelevant for everyone else. No user is ever going to say: 'Oh no. I can now play the music I bought for my PC on my Mac. I must install a patch so I can't do that anymore.' But to Microsoft, this vulnerability is a big deal. It affects the company's relationship with major record labels. It affects the company's product offerings. It affects the company's bottom line. Fixing this 'vulnerability' is in the company's best interest; never mind the customer."

15 of 397 comments (clear)

  1. Kinda blows their excuse by Eldred · · Score: 5, Insightful

    What's their excuse going to be the next time a user vulnerability that has exploits in the wild has to wait for the next release cycle?

  2. Priorities by wardk · · Score: 5, Insightful

    fatal holes in the browser? whatever

    allowing spyware to take over? who cares

    DRM? we're on it!

  3. Plain and simple by Anonymous Coward · · Score: 5, Insightful
    this kind of rapid response is EXACTLY what we are clamoring for when we ask that you take security seriously


    The fast fix suggests that rapidness of response might be a function of "whose ox is being gored".
    1. Re:Plain and simple by MightyYar · · Score: 5, Insightful

      Exactly! The cat's out of the bag... we know that they are CAPABLE of a 3-day turnaround. That line about having to wait for testing and blah, blah, blah was totally bogus, apparently.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:Plain and simple by Abcd1234 · · Score: 4, Insightful

      Well, just to play devil's advocate - what if the vulnerability fix was, literally, a couple of lines of code? Maybe it was just a tiny fix.

      Actually, I suspect the vast majority of security fixes are just this. Usually it involves adding a couple more error checks to function inputs, putting length limits on operations on memory buffers, that sort of thing. I suspect it's quite rare for a patch to be any more involved, unless it's the result of a serious error in design.

    3. Re:Plain and simple by radtea · · Score: 4, Insightful

      Well, just to play devil's advocate - what if the vulnerability fix was, literally, a couple of lines of code? Maybe it was just a tiny fix.

      I once moved a single line of code up one line and broke the product in a subtle and interesting way that fouled up major testing, delayed a milestone, and severely and justifiably pissed off one of my colleagues.

      There are no small fixes. A famous single-character error (typing "." for "," in a FORTRAN DO loop header, so it read DO I=1.10 instead of DO I=1,10) resulted in the destruction of a spacecraft.

      So I guess fixes that involve changing less than one character are safe to release with minimal testing. All the rest need the full cycle.

      The only reason why Microsoft might not do that in the present case is because keeping partners who depend on DRM happy is really, really important, and therefore they are willing to take the risk of crashing user's machines. Either that, or the person making the decision is just not very smart, a possibility never to be discounted.

      --
      Blasphemy is a human right. Blasphemophobia kills.
  4. Who profits? by Damiano · · Score: 4, Insightful

    As TFA says, it's simple. A normal security hole costs the user money, not Microsoft. This "security hole" (indirectly) costs MS money so it gets fixed ASAP. MS is, if nothing, good at protecting its bottom line.

  5. Critical, or not? by kripkenstein · · Score: 5, Insightful

    So this is going to be the least installed patch for windows ever. untill they make it mandatory

    Actually, this is a very serious question: is the patch marked critical, or not? This is important, because:

    1. If the patch is critical, it will get criticized for being, in effect, mandatory degradation of capability (by the tech-savvy). Also, this will make light of Microsoft's security policy, to call this sort of patch 'critical'.
    2. If the patch is not critical, then - oh, the irony - by default, it will not be installable on computers failing WGA. Perhaps Microsoft will get around this. But, as WGA currently works, only critical patches are allowed to systems marked as 'non-genuine'. This would be amusing - pirated copies of Windows would not receive this unwanted patch, but paid-for copies would.

    I can't find, in TFA or the sources it cites, any mention of the severity of the patch. Anyone know the answer to this?

  6. Re:Customers' best interest by Tackhead · · Score: 4, Insightful
    > While it may be funny to joke about it serving the customers' best interest if Microsoft were to go belly up,

    Microsoft is serving its customers' best interests. Their customers are system builders such as Dell, purchasing managers at businesses, and media companies.

    The guy at the keyboard of a Windows Vista box, using Microsoft Office at work, and Windows Media Player at home is not the customer, he is the product.

  7. Re:Regulation? by RocketScientist · · Score: 5, Insightful

    The free market is EXACTLY how this should be fixed.

    It's currently regulated so that the free market has NOTHING TO DO WITH THE PROBLEM.

    The primary issue, and this is exactly out of Mr Schneier's playbook, is that Microsoft has no direct civil liability for their defects. It's exaclty as if you couldn't sue Ford becase your Pinto's gas tank exploded. Ford would have no reason to fix the defect. Well, the same problem here: if you buy defective software, you have no recourse to sue the manufacturer of the product. Remove that lack of liability and you'll start to see problems get fixed very very quickly.

    If Microsoft was civilly liable for every piece of spam that was sent by a Windows zombie PC, there would very quickly be patches.

    Less protection of corporations, and more market forces, would fix this problem. This is EXACTLY the kind of problem markets are very good at fixing. The problem is that the current regulation circumvents the market.

  8. Re:Regulation? by spun · · Score: 5, Insightful

    Unfortunately, free markets lead to concentration of wealth. Concentration of wealth leads to concentration of power, which leads to control of the regulatory process. Free markets invariably become unfree because of a runaway feedback loop. At least in democracy we have checks and balances. Where are the checks and balances within a free market that will work to keep it free? there are none.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  9. The squeaky wheel gets the grease by TopShelf · · Score: 4, Insightful

    And isn't it sad that the quickest patch they ever release is for a hole no user cares about? More proof that MS cares more about their corporate friends than users.

    Is it proof that MS doesn't care enough about users, or is it (by extension) proof that users don't care much about OS vulnerabilities? Sure, they may complain, but do they actually take action and demonstrate that they care, by switching to more secure OS's (by moving to Apple or Linux)?

    After all, MS reacts to what its customers and business partners care about. The music companies go apeshit over stuff like this, but users (both corporate and personal) haven't really demonstrated that they'd rather take their business somewhere else, so why should MS give them anything more than lip service?

    --
    Stop by my site where I write about ERP systems & more
  10. Who the customer REALLY is by dustwun · · Score: 4, Insightful

    People seem to be overlooking who the customer REALLY is here. The bottom line lies in corporate back scratching for multi-$$$$ contracts and agreements

    One business contract with a large label, Dell, or Sony is worth more than the mutterings and begrudging updates from Windows consumers. Most of us are not the customers, we're the consumers. Most people don't buy windows from microsoft, they buy it from Dell, or Gateway, or whoever else sold them their computer. The Dells, Gateways, etc are the customers. The game companies writing for xbox 360s, the phone vendors embedding wince, they're the customers.

    Bottom line, If you're bitching about this update, you're a consumer. If you think it's a good thing, then you're the customer.

  11. Re:Regulation? by ChronosWS · · Score: 5, Insightful

    And there's no concentration of wealth and power now, in our democracy? Maybe you've missed the consistent erosion of our rights lately, and fail to realize that the people eroding those rights also have the power to use force (as in they can lock you up and/or kill you) to further their ends AND it's perfectly legal so long as the right people are paid off (or themselves coerced.)

  12. Re:I'll play devil's advocate too by brianosaurus · · Score: 4, Insightful

    Its all about money. The DRM is key to their relationship with media partners. If DRM is broken then all Windows users will suddenly, uncontrollably start pirating their media; we can't help it, apparently, and without the DRM firmly in place, we mind end up like Sweden.

    I'm sure they're more "worried" about DRM breaking than the everyday security holes that merely allow someone to glom your computer onto their botnet, since there's money and contracts that depend on the DRM. The EULA is probably the only agreement that might be impacted by a security flaw, but we all know those are meaningless.

    --
    blog