I’ve stopped to gawp, tweet and rub my eyes with astonishment so many times reading this article about Microsoft’s ritual Patch Tuesday that it’s taken me a ridiculously long time to get to the end. If you ever had any doubts about why open source is such a wonderful thing, consider these little beauties, all comments about how Microsoft handles security updates:
Updates are prioritised according to the severity of the flaw and whether the vulnerability is a known public issue or was privately reported.
Microsoft prefers vulnerabilities to be reported privately
it could be months before Trustworthy Computing finds space in its schedule for any particular fix
If you were looking for a justification for open source then your search is over. Fair enough to prioritise on the basis of severity (though who releases software with “severe” security flaws?? Oh, Microsoft.), but on the basis of how many people know about it?? Jeepers. I doubt anyone’s surprised that Microsoft, the very antithesis of openness, prefers private reporting – see point one. And that last baby, that is a huge point. When it’s just Microsoft employees working on a deluge of security vulnerabilities then it’s going to take a long time to fix, but open up that code to the rest of the world and a fix will be forthcoming in no time. And if you’re wondering what Trustworthy Computing is, it’s the body Microsoft set up to “deliver a more secure, private and reliable computing experience”, leaving one to infer that those values aren’t part of Microsoft’s core venture. As the article asks towards the end:
However, if the software was properly coded in the first place, would it be necessary to embark on an endless process of fixes?