Spit and dirty socks, I said, upon learning of Microsoft’s new plan to reduce the number of critical security patches for Windows and other software. I then opined that Windows .Net Server 2003 would require 30 such patches in the first year after its release, which is expected sometime after April 2003.
Unsurprisingly, Microsoft’s solution to the security problem doesn’t involve writing cleaner and more secure code; it is instead an exercise in perception management. Currently, vulnerabilities are described by the company as “critical”, “moderate”, and “low”. What’s going to change is that the critical group will be split in two: flaws that really are critical and those that are merely important. I assume that the patches on Windows Update will be reclassified in a similar manner, thus foiling my simple nose count.
So what do I do now? Combine the new “important” category with the announced critical patches to get the final number or restate the line? I’m probably going to do the former, since the bookies’ easy way out of declaring “no line” is also no fun.
I’m also confused by the distinctions between recommended updates, important updates, and critical patches (but then again, I don’t have a graduate degree in semantics). As usual, I have a suggestion that’s going to enrage a lot of you: Windows users would be better served by introducing a new category of mandatory updates, where you have 60 or so days to apply the patch, and if you don’t, the computer’s networking functions will be disabled. Savage, yes, but effective.
Of course, finding a way to get that functionality onto the millions of Windows desktops already out there might take some doing. Microsoft would have to disguise it as porn to achieve the widest possible distribution, if my understanding of human nature is any guide.
I’m not going to claim credit for this modest proposal; after all, it’s been around in demo software and shareware for ages, and it shows up from time to time in big-ticket software packages as a way of enforcing a payment agreement.
To give proper credit, I should mention other columnists have repeatedly called for time bombs to be built into software from the beginning.
To be fair, I’ll point out that I can’t name a vendor that produces 100 percent bug-free software or even comes close.
That’s the nature of the software business, where ship schedules are more important than quality. So I promise that I won’t pick on Microsoft next week. Instead, I’ll ponder whether software vendors should be held to the same degree of liability as other industries.