[ISN] Quickest Patch Ever

From: InfoSec News (alerts@private)
Date: Tue Sep 12 2006 - 00:33:23 PDT


By Bruce Schneier
Sept, 07, 2006

If you really want to see Microsoft scramble to patch a hole in its 
software, don't look to vulnerabilities that impact countless Internet 
Explorer users or give intruders control of thousands of Windows 
machines. Just crack Redmond's DRM.

Security patches used to be rare. Software vendors were happy to pretend 
that vulnerabilities in their products were illusory -- and then quietly 
fix the problem in the next software release.

That changed with the full disclosure movement. Independent security 
researchers started going public with the holes they found, making 
vulnerabilities impossible for vendors to ignore. Then worms became more 
common; patching -- and patching quickly -- became the norm.

But even now, no software vendor likes to issue patches. Every patch is 
a public admission that the company made a mistake. Moreover, the 
process diverts engineering resources from new development. Patches 
annoy users by making them update their software, and piss them off even 
more if the update doesn't work properly.

For the vendor, there's an economic balancing act: how much more will 
your users be annoyed by unpatched software than they will be by the 
patch, and is that reduction in annoyance worth the cost of patching?

Since 2003, Microsoft's strategy to balance these costs and benefits has 
been to batch patches: instead of issuing them one at a time, it's been 
issuing them all together on the second Tuesday of each month. This 
decreases Microsoft's development costs and increases the reliability of 
its patches.

The user pays for this strategy by remaining open to known 
vulnerabilities for up to a month. On the other hand, users benefit from 
a predictable schedule: Microsoft can test all the patches that are 
going out at the same time, which means that patches are more reliable 
and users are able to install them faster with more confidence.

In the absence of regulation, software liability, or some other 
mechanism to make unpatched software costly for the vendor, "Patch 
Tuesday" is the best users are likely to get.

Why? Because it makes near-term financial sense to Microsoft. The 
company is not a public charity, and if the internet suffers, or if 
computers are compromised en masse, the economic impact on Microsoft is 
still minimal.

Microsoft is in the business of making money, and keeping users secure 
by patching its software is only incidental to that goal.

There's no better example of this of this principle in action than 
Microsoft's behavior around the vulnerability in its digital rights 
management software PlaysForSure.

Last week, a hacker developed an application called FairUse4WM that 
strips the copy protection from Windows Media DRM 10 and 11 files.

Now, this isn't a "vulnerability" in the normal sense of the word: 
digital rights management is not a feature that users want. Being able 
to remove copy protection is a good thing for some users, and completely 
irrelevant for everyone else. No user is ever going to say: "Oh no. I 
can now play the music I bought for my PC on my Mac. I must install a 
patch so I can't do that anymore."

But to Microsoft, this vulnerability is a big deal. It affects the 
company's relationship with major record labels. It affects the 
company's product offerings. It affects the company's bottom line. 
Fixing this "vulnerability" is in the company's best interest; never 
mind the customer.

So Microsoft wasted no time; it issued a patch three days after learning 
about the hack. There's no month-long wait for copyright holders who 
rely on Microsoft's DRM.

This clearly demonstrates that economics is a much more powerful 
motivator than security.

It should surprise no one that the system didn't stay patched for long. 
FairUse4WM 1.2 gets around Microsoft's patch, and also circumvents the 
copy protection in Windows Media DRM 9 and 11beta2 files.

That was Saturday. Any guess on how long it will take Microsoft to patch 
Media Player once again? And then how long before the FairUse4WM people 
update their own software?

Certainly much less time than it will take Microsoft and the recording 
industry to realize they're playing a losing game, and that trying to 
make digital files uncopyable is like trying to make water not wet.

If Microsoft abandoned this Sisyphean effort and put the same 
development effort into building a fast and reliable patching system, 
the entire internet would benefit. But simple economics says it probably 
never will.


Bruce Schneier is the CTO of Counterpane Internet Security and the 
author of Beyond Fear: Thinking Sensibly About Security in an Uncertain 
World. You can contact him through his website.

HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/

This archive was generated by hypermail 2.1.3 : Tue Sep 12 2006 - 00:42:42 PDT