Some intriguing questions about MS OneCare…
When I wrote yesterday that I’m going to head over to Brian Krebs’ blog more often, I didn’t really think I would be quoting him again today. But he has done such a good job following up on the WMF patch issue we reported on yesterday that once again he got me thinking and I want to add some thoughts to his.
Brian points out that according contained in Microsoft’s latest WMF advisory (yes, the one claiming that the WMF exploits are limited in scope), Microsft OneCare customers are protected from this bug. That of course raises some intriguing questions about the nature of the protection offered by this product. How can OneCare customers be protected when Microsoft feels unable to release a working patch before next Tuesday because of all the testing the patch needs to undergo? Who is actually doing all this testing… and how far fetched is the idea that in fact the OneCare customers could be the ones who (knowingly or not, I don’t know because I’m not a OneCare beta program member and haven’t read the EULA) get to test this patch? I mean, it would make sense because through the OneCare software, the patch could be deployed as well as removed or updated if it doesn’t work as designed, all with no end user interaction.
Or does Microsoft actually know another way to protect computers from the WMF based attacks, but chooses not to disclose it to regular Windows users, but only to those willing to pay for extra security (I know OneCare is free at the moment, but it’s also still a beta product that many will be unwilling to install on mission critical computers and Microsoft has plans to charge for it later)? That would indeed be a rather scary scenario – the manufacturer of faulty software refuses to protect its customers from security flaws unless they are willing to pay to have it fixed… kind of like a car manufacturer refusing to fix your brakes that were manufactured with a defect, unless you pay them. I’m not saying that is in fact the case, but the claim that OneCare customers are protected when at the same time Microsoft sees itself unable to provide a patch yet does raise these questions.
Add comment January 5th, 2006