Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why Can't Microsoft Just Patch Everything?

Zonk posted more than 8 years ago | from the they-need-more-cookies dept.

Microsoft 640

paneraboy writes "If smaller software companies can patch all of their bugs serious or minor, ZDNet's George Ou asks, why can't Microsoft -- with its massive army of programmers and massive budget -- patch all of its vulnerabilities? Had Microsoft fixed a low risk browser vulnerability six months ago, perhaps we could have avoided last week's zero-day exploit. Currently, more than two dozen Windows XP issues remain unpatched. Ou thinks Microsoft ought to fix them all." From the article: "Almost 4 years after the launch of Trustworthy Computing, I found myself wondering why am I staying up till 4:00 AM to deliver an emergency set of instructions (Home and Enterprise) to my readers because Microsoft felt it unnecessary to patch a flaw six months ago that was originally low risk but mutated in to something extremely dangerous."

cancel ×

640 comments

Sorry! There are no comments related to the filter you selected.

because to do so... (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14157142)

would effectively make Windows Linux...

FP? (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14157143)

Frist?

Stallman == crazy street looney, photo proof! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14157219)

TEH END IS NEAR! [nowpublic.com]

Repent, you DRM sinners!

Good ole' 2002 (3, Interesting)

rd4tech (711615) | more than 8 years ago | (#14157144)

Here's one from the article flagged: "Less critical" from 2002: SA7127 [secunia.com] Check out the first paragraph of this 'less critical' item's description.

By the way, when I read a statement like this one:
If smaller software companies can patch all of their bugs serious or minor, why can't Microsoft just patch all of their vulnerabilities with their massive army of programmers and massive budget?
I start thinking there ought to be some kind of credibility (karma) system for anyone giving public opinions. You know, give the article '-1', give the guy 'Terrible Karma'. Make all his subsequent articles dissapear for you, or even better, replace the article with a 'joke of the day', you know, to dilute the real news a bit.

Re:Good ole' 2002 (2, Insightful)

Doc Ruby (173196) | more than 8 years ago | (#14157195)

You mean like when someone says "if smaller software companies can patch all of their bugs" means "if all smaller software companies can patch all of their bugs"? Thanks for the permission to flag all of your future posts as "joke".

Re:Good ole' 2002 (2, Funny)

rd4tech (711615) | more than 8 years ago | (#14157242)

no, I didn't mean that ;)

Re:Good ole' 2002 (0)

Anonymous Coward | more than 8 years ago | (#14157409)

Nor did you say it! I have no idea what the hell he's talking about, even if an equally moronic moderator found it "insightful".

Re:Good ole' 2002 (0)

Anonymous Coward | more than 8 years ago | (#14157251)

Just because Microsoft takes in a lot of money doesn't mean they put it all back out in developers! LOL. People have salaries too you know. Most of the profit goes into the pocket, not into investments.

Seems like some people don't understand coding (5, Insightful)

MSFanBoi2 (930319) | more than 8 years ago | (#14157146)

Seems like some members of the press don't understand coding. You can't just go and patch everything. Regression testing? Making sure all the changes work as needed without impacting other subsystems.

Do you really think if Microsoft COULD do it, they wouldn't.

Re:Seems like some people don't understand coding (5, Interesting)

redfirebmd (815070) | more than 8 years ago | (#14157226)

Seems like some members of the press don't understand coding. You can't just go and patch everything. Regression testing? Making sure all the changes work as needed without impacting other subsystems.

Do you really think if Microsoft COULD do it, they wouldn't.

Whereas I agree with you that it isn't as easy as some people think, if any company in the world has the resources to do it, its Microsoft. I see NO reason why a company with this many people and this much money can't get good patches out the door soon after vulnerabilities are found. The only exlplanation is poor organization and bureaucracy.

Re:Seems like some people don't understand coding (4, Insightful)

Shakrai (717556) | more than 8 years ago | (#14157260)

Do you really think if Microsoft COULD do it, they wouldn't.

Just because they CAN do something doesn't mean that they WILL. Anybody care to remember what it was way back in the day with Microsoft software? Anybody remember how they ignored holes that were exploited far worse then this one until the public outrage overwhelmed their PR spin?

They don't look on security as anything other then a marketing ploy.

Re:Seems like some people don't understand coding (1)

borawjm (747876) | more than 8 years ago | (#14157448)

They don't look on security as anything other then a marketing ploy

Right, they just want to sell software like Microsoft Anti-Spyware and Windows Defender. Why spend money and resources patching a software when you can make money by selling software that is designed to cover your holes.

Re:Seems like some people don't understand coding (5, Informative)

cnelzie (451984) | more than 8 years ago | (#14157288)

Of course, if the base design philosophy is flawed to begin with, even if they could "patch everything" the would likely be better off rewriting from the ground up.

    Many components of Windows and MS Software on Windows utilized Remote Procedure Calls, even if the applications are on the same exact system. This is inherently flawed, as shown in many past MS Windows exploits. Just look at the MS-SQL expoits as perfect examples.

    If designed with security, instead of "ease of coding" was the design from the start, RPC wouldn't be used for communication between processes on the exact same piece of hardware. This is how it is done with MySQL and Apache on Linux and why RPC exploits won't work if those services are running on the exact same hardware.

    The list of flawed design decisions that went into Windows at the very beginning continue to haunt the Windows Operating System to this day. No, I am not some blind unqualified moron making these statements, I manage Windows desktops for a living, used to work full time with Windows Servers and one of my hobbies has been looking into OS architecture design and how it relates to system security.

Re:Seems like some people don't understand coding (2, Insightful)

darkmeridian (119044) | more than 8 years ago | (#14157320)

Exactly. I don't program, I've just read Slashdot for the last few years or so (UID war?) but even I know that software is so interrelated, especially something with a codebase as large as Windows, that if you change one area, there will be effects somewhere else. You cannot change many things at the same time because you will never be able to figure out which did what. You have to do things serially. That's why you cannot fix Windows all at once.

Re:Seems like some people don't understand coding (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14157388)

This is an excellent and often overlooked point. Depending on what you are patching (especially in an OS or API), the implications to other software can be massive. 5 minute code fix could = 1000 hours of testing + fixing bugs found after testing. Not to mention us poor old 3rd party folks.

caring ? (0, Troll)

morbidi (638665) | more than 8 years ago | (#14157147)

they do care about us

Well ... (2, Funny)

SpooForBrains (771537) | more than 8 years ago | (#14157151)

To paraphrase a certain mercenary, where's the percentage in that?

red tape (1)

brandanglendenning (766328) | more than 8 years ago | (#14157153)

just a guess?

patch the leaky boat (5, Insightful)

Speare (84249) | more than 8 years ago | (#14157155)

You can only patch a leaking boat so much, even if you drydock the vessel for a few months. When it's only held together by the barnacles and the masthead, it's going to sink whether you bail it out or not. At some point, you're going to have to re-think the design of that hull, and start from scratch.

Re:patch the leaky boat (4, Insightful)

Reziac (43301) | more than 8 years ago | (#14157353)

And unfortuntely, over time your new hull will grow its own barnacles and weed, and you'll find that some of the planks used weren't as sound or warp-free as they appeared, and maybe the craftsmen who designed it weren't quite as expert as they thought, either. So sooner or later you'll have to tar that hull's leaks too. And the more rough seas and heavy cargo the boat experiences, the more often you'll have to tar it.

Not to mention that a new hull design, or switching from sail to diesel, might require that you retrain all your sailors too!

Re:patch the leaky boat (1)

aw232 (904545) | more than 8 years ago | (#14157473)

I remember reading several weeks ago that this is exactly what MS is doing with Vista. I don't have an article link for you but the gist was that the code base had become so unwieldly that it was impossible to continue without a major rehaul of the foundation and the way that MS developed the OS.

Re:patch the leaky boat (1)

Ours (596171) | more than 8 years ago | (#14157517)

And that's, from what I read, something that happened during Windows Vista developpment cycle. The developpers where pushing for a rewrite because with all the legacy Windows NT was getting close to impossible to add stuff and get it to compile the whole thing. So despite opposition from Bill Gates Vista is supposed to have many things rewritten from scratch (1/4 from what I've heard). I guess a complete rewrite would take many years just to take it to the level of Windows XP so they won't be doing that anytime soon. No wonder so many features scheduled for Vista where thrown out.

money... (0)

Anonymous Coward | more than 8 years ago | (#14157156)

Because their too busy counting all the cash they got ...

It can't be done ... (5, Insightful)

malcomvetter (851474) | more than 8 years ago | (#14157157)



I think MS has come a long way from where they were, but I agree. To the people who claim it can't be done: OpenBSD [openbsd.org] does it!

Re:It can't be done ... (1)

griffindj (887533) | more than 8 years ago | (#14157359)

It truly cannot. OpenBSD may be quicker and more efficient at patching their software. But by definition, a patch is something used to repair something that is broke. The day OpenBSD stops coming out with patches, then I will believe it can be done.

Re:It can't be done ... (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14157514)

I think you're missing the point: OpenBSD doesn't think it can make perfect software. But rather they have a policy of fixing any bug *no matter how small*.

Microsoft (and other vendors) make a cost-benefit analysis.

And that's where we get screwed.

Re:It can't be done ... (2, Insightful)

Anonymous Coward | more than 8 years ago | (#14157449)

Yes, now let's compare the functionality of a base install of openbsd to a base install of windows... eureka I understand now!

You can go on to claim 'well then just install secured packages as well', but it turns out third party apps never run as well as integrated apps. And microsoft is aiming at the people who want a working system out of the box, not a system that's basically a clean slate that you need to draw up yourself.

DUPE!! (0, Offtopic)

Kagura (843695) | more than 8 years ago | (#14157158)

DUPE!

Okay, so it's actually not a dupe, but I got to hear Slashdot users all sigh at once. :)

Re:DUPE!! (1)

Billygoatz (861464) | more than 8 years ago | (#14157499)

This was posted on digg.

Except it was called

"Make an Electric T-shirt"

It had nothing to with Microsoft or Operating Systems, but like windows also hadn't been patched.

MCSE out of a job then? (0)

Anonymous Coward | more than 8 years ago | (#14157164)

Hey.. what good would our awesome MCSE certification be good for then? You trying to put us out of work?

MS Patch Monkey

Profit motivates business... (1)

187807 (883881) | more than 8 years ago | (#14157166)

Microsoft has learned that, with its position, it doesn't HAVE to spend money fixing software that people keep on buying/using due to lock-in, popularity or whatever.

first post (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14157168)

ahahahaa

Because they don't have to (5, Insightful)

nuggz (69912) | more than 8 years ago | (#14157170)

Why should they?

People will still buy thier product, people accept that it sucks.
Unless they see a good ROI on patching or developing good code they won't.

Quite honestly if it isn't a worthwhile use of their resources they shouldn't patch code.

When there is serious competition and code quality becomes a competative advantage they'll fix it.

Re:Because they don't have to (0)

Anonymous Coward | more than 8 years ago | (#14157270)

That's one way to say it.

Say it an other way, if they would do fix it, I would buy there software and be happy about using it. And I would recommend everyone to use it. But Microsoft doesn't, they can't even fixes simple memory leaks in DHTML with IE. And so everyone curses always at microsoft.

An other word for it: Necessary Evil.

Re:Because they don't have to (1)

PlayfullyClever (934896) | more than 8 years ago | (#14157447)

Sure they should have to. The way they let spyware on your computer should be a crime.

The worst spyway is not even a minimally legitimate commercial venture-- it is theft, run by international criminals and organized crime. So-called "legitimate" spyware and adware have conditioned people to think that a windows box encrusted with this shyte is normal.

The newest stuff is delivered by a trojan downloader, that also installs a keylogger--or several. The browser hijackers they install do one--or several things--to send you to their fake websites so they can steal your credit card, or even your identity:

-- They take over your HOSTS file so that legitimate urls are translated into THEIR IP addresses, not the real ones.

-- They add THEIR fake banking, paypal, amazon, etc. sites to your "trusted sites" list.

-- They may even change your proxy settings to accomplish or reinforce the same thing.

If you try to clean this crap off with AdAware or Spybot S&D, the trojan downloader--which also disable your AV software and/or Spybot--will NOT detect the trojan downloader, and it will reinstall the malware faster than you can clean it.

Some of these were spread the old fashioned way-- email attachments. Others used the Windows RPC 445/tpc buffer overflow exploit, or the latest IE IFRAME exploit, or one of the 16 other exploits out there for IE alone that MS has not patched.

This shit crossed a line about six months ago from being a commercially-oriented nusiance to being outright theft, run by the same criminals that run phishing scams.

I clean up PCs as a sideline, and the trend is very ominous-- the utility of the PC as a productive tool is threatened, as is the integrity and trust of the Internet.

Thanks, Microsoft. I'd like to see the Dept. of Homeland security take your ass to court for criminal negligence.

There doesn't seem.... (2, Interesting)

endrue (927487) | more than 8 years ago | (#14157173)

to be any reason to fix them immediately. Common folks are either used to their computers being unstable or they don't care. MS won't rush to fix bugs because there does not seem to be a large outcry from the end-user community for them.

Re:There doesn't seem.... (1)

Wornstrom (920197) | more than 8 years ago | (#14157268)

I have to agree. Every time I go to someone's house and give the computer a checkup, it is inundated with spyware, sluggish, and unresponsive at times. I guess that is how they plan to get people on the Vista wagon, by the time it is released the XP users will be so fed up with their slow computer, they will be ready to pay a premium for a new computer with the latest offering from MS because the old one "ain't fast enough". If they patch the systems, make them work right, it could kill that future sale... where is that tinfoil hat....

It's not so bad afterall... (0)

Anonymous Coward | more than 8 years ago | (#14157175)

[Mega conspiracy mode on]

Microsoft is not patching holes to provide jobs for all of those worthless MCSE's

not a priority (4, Insightful)

iggymanz (596061) | more than 8 years ago | (#14157177)

Microsoft is growing and profitable having their developers do other things, until such time as they are held hugely financially liable for their bloated buggy crap they won't make that their prime focus

Doesn't he know? (5, Funny)

AEton (654737) | more than 8 years ago | (#14157180)

Issuing patches is dangerous.

Every time Microsoft patches its software, hackers use their patches to discover security holes and to issue exploits!

But when they don't patch their software, no bad guys notice these vulnerabilities. In fact, no virus or worm has *ever* exploited a vulnerability before a critical update was released!

Duh.

Re:Doesn't he know? (0)

Anonymous Coward | more than 8 years ago | (#14157315)

>But when they don't patch their software, no bad guys notice these vulnerabilities. In fact, no virus or worm has *ever* exploited a vulnerability before a critical update was released!

this article, and 2 others on slashdot are about un-patched exploted vulnerabilitys, and this is modded insightful? (AC because I already modded as funney, has to be a joke.)

Re:Doesn't he know? (1, Informative)

GauteL (29207) | more than 8 years ago | (#14157337)

"In fact, no virus or worm has *ever* exploited a vulnerability before a critical update was released!"

Do you have any sources to back up that statement? It sounds highly dubious as there was just a trojan that exploited an unpatch vulnerability reported earlier today [slashdot.org] on Slashdot. I find it very hard to believe that there have been no worms or viruses, *ever* to exploit an unfixed vulnerability.

I ask the same question (5, Insightful)

xtracto (837672) | more than 8 years ago | (#14157183)

Why can't the Mozilla Software Foundation allt the 6300 [mozilla.org]
Firefox Bugs? instead, they have to release a "new" version... just freeze the freaking lreleases and patch your bugs!

No, OSS is not free of bugs

Re:I ask the same question (0)

Anonymous Coward | more than 8 years ago | (#14157356)

Funny.... either you rounded off the bug count or one bug has been fixed since you posted your comment. At this rate 6299 is not a whole lot. ;)

It's because they are so big. (5, Interesting)

gasmonso (929871) | more than 8 years ago | (#14157186)

The biggest problem that M$ has is their size. Sure they have tons of cash and an army of coders, but I bet the left hand doesn't know what the right is doing. There must be so much red tape there as to basically paralyze them. Just look at the lack of innovation coming out of M$. Windows has been stagnant since Windows 98 and Office hasn't improved much since Office 97. M$ is being crushed under their own weight.

gasmonso http://religiousfreaks.com/ [religiousfreaks.com]

Re:It's because they are so big. (4, Interesting)

Shakrai (717556) | more than 8 years ago | (#14157334)

The biggest problem that M$ has is their size. Sure they have tons of cash and an army of coders, but I bet the left hand doesn't know what the right is doing. There must be so much red tape there as to basically paralyze them. Just look at the lack of innovation coming out of M$. Windows has been stagnant since Windows 98 and Office hasn't improved much since Office 97. M$ is being crushed under their own weight.

As much as I agree with you about Office and Microsoft in general I think you'd be hard pressed to find someone that can say with a straight face that Windows 98 remotely compares to the 2000/XP line. Anybody remember 95/98? I remember that I could never keep it running more then a day or two. I remember that having to kill mIRC would often take Windows down with it (WTF???). I remember running out of "system resources" long before I ran out of RAM (what good is RAM if there are artificial limits on "resources"?).

If you want to blame Microsoft then blame them for XP not adding anything to Windows 2000 other then eye candy and phone-the-mothership code. Blame them for rolling out ME for no other reason then to exploit more revenue out of the 95/98 kernel. But don't say something stupid like Windows has been stagnant since 98.

Re:It's because they are so big. (2, Interesting)

gasmonso (929871) | more than 8 years ago | (#14157455)

I'll stick by my original statement, but will add one point. With all the resources available at M$, Windows has been rather stagnant since 98. Look at what Macintosh has done over the same period of time. XP may be more stable than 98, but that's to be expected. Innovation has been not existent.

gasmonso http://religiousfreaks.com/ [religiousfreaks.com]

FP (0, Offtopic)

pulse2600 (625694) | more than 8 years ago | (#14157188)

First post! and MS doesn't patch everything because they weigh cost of patching vs benefit of writing the patch and the risks associated with leaving it alone at the time. A seemingly small, unimportant issue will not get more attention than something that drives or will potentially make money.

Microsoft and Everything don't mix (4, Insightful)

dada21 (163177) | more than 8 years ago | (#14157190)

If Microsoft fixed everything, then the companies that made programs that allowed users to work around the "flaws" in Windows would go to the federal prosecutors and demand that Microsoft be sued for having a monopoly on fixing their own bugs.

All kidding aside, Microsoft has a huge amount of users, maybe more than any other product in existance (I didn't do the research). This does mean that more bugs will be found, and the reason behind not fixing certain bugs may be that the bug was addressed in a future rollup or patch already. Because Microsoft is a massive corporation with so many departments, it is possible that Microsoft BugCentral says "Fix this!" and Microsoft PatchCentral says "We fixed it in Article 931321 coming next week" and Microsoft ReleaseCentral says "We're waiting for a fix on another bug before releasing that."

I'm not a fan of it, but it is really hard to just come out and say they're ignoring a bug, when it may be something deep set within the software (hard to remove) or it might be addressed but on hold for another reason (opened up another flaw?). If we think we as geeks found all the vulnerabilities, we're fooling ourselves. Windows is a massive program, and even Linux has ongoing flaws. When Linux has as many third party apps and interconnecting drivers as Windows does, I'll accept a complaint towards getting things fixed post haste. Until then, we just have to (thankfully) support third parties that give us options! (And paychecks)

Re:Microsoft and Everything don't mix (1)

tezbobobo (879983) | more than 8 years ago | (#14157513)

For your interest, Coke has the biggest number of users and (this isn't a flame thing) existence is spelt with an 'e'.

What the? (1, Insightful)

bobintetley (643462) | more than 8 years ago | (#14157196)

Is this guy completely retarded?

As much as we may despise it, Windows is a very large, complex piece of software. As bugs are fixed and features added, more bugs are created and so the cycle goes on.

This is the reality of software development. Does he really think that if Microsoft could fix every bug they wouldn't do it?

Re:What the? (1)

poot_rootbeer (188613) | more than 8 years ago | (#14157297)

Does he really think that if Microsoft could fix every bug they wouldn't do it?

Well, they COULD. But at what cost? With the threat of Open Source competition ever-looming, Microsoft simply can't afford to let their feature lists stagnate for the next five years while every available developer is tasked with bug fixing and unit testing against the existing codebase.

Re:What the? (1)

endemoniada (744727) | more than 8 years ago | (#14157304)

As I see it, Windows is now nothing more than a big heap of patches. Several layers of it.

Instead of patching a system with roots in old NT systems, rewrite the operating system so that it's stable and secure from the start. Less patching, and if they do it correctly they might stop most, if not all, bugs and exploits that are out there today.

Make the crackers think twice, because you did first.

Eureka! (2, Funny)

PowerBallad (923647) | more than 8 years ago | (#14157215)

I can hear Microsoft execs right now: "Well when you put it that way...why didn't we think of this before?"

Obligatory tinfoil hat (5, Funny)

Bombula (670389) | more than 8 years ago | (#14157221)

From some Bond movie (Tomorrow Never Dies?):

"What's the status of our new software?"

"Ready for launch Mr Carver, and - as requested - it's full of bugs, so people will be forced to upgrade for years."

"Delicious."

/not serious... no, seriously.

Army of Programmers != Agility (4, Interesting)

otisg (92803) | more than 8 years ago | (#14157225)

Just because MSFT has an army of programmers, it doesn't mean it has an easier time patching its old code. Larger groups of people (be they developers or military groups or a bunch of friends going out drinking) almost always require more grooming and maintenance. Look up "Dunbar Number" - here [google.com] - I find it fascinating.

A smaller, and thus possibly more agile group of programmers may actually be able to patch more holes than a mammoth like MSFT. Size can be a disadvantage (don't quote me on this ;)).

I've often wondered about this. (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14157228)

It seems like, on the whole, that Microsoft is slow at anything that requires writing code. Like Longhorn (or vista, or whatever), for example - it really doesn't do anything interesting enough to warrant the 3-4 years of development it's getting.

One can only assume that they do all their coding with a crayon or something.

Becaue they're too busy.... (1, Funny)

Anonymous Coward | more than 8 years ago | (#14157229)

patching the holes in Ballmer's walls from all the flying chairs.

Re:Because they're too busy.... (1)

digitaldc (879047) | more than 8 years ago | (#14157281)

Or dodging the chairs that randomly fly out of Microsoft's windows (small w)

software != bowling ~ Nothings perfect. (2, Interesting)

griffindj (887533) | more than 8 years ago | (#14157230)

with its massive army of programmers and massive budget -- patch all of its vulnerabilities?

This is impossible. With patches, new releases, and updates there will always be new bugs introduced, some exploitable, some not. No program will ever be invulnerable to malicious attacks. As long as a person made it another person can break it. Maybe micro$oft could be doing better at realeasing patches, but it will never be error free. And that goes for all software.

It's just not that simple... (4, Interesting)

postbigbang (761081) | more than 8 years ago | (#14157233)

Patches, no matter what they are, are woven into most things that Microsoft and developers do. There are numerous dependencies, and the numerous divisions, API sets, and partner dependencies make this difficult if even impossible to do on an ad hoc basis, as a generally available patch that breaks things is irresponsible.

Yes, it happens anyway.

Thie is the downside to having a huge, inter-dependent set of apps. Regression testing and dependency testing regimens have to be followed to ensure that small or even massive destabiliations don't happen. This also means that the easy stuff and the most urgent stuff (by their reckoning, not necessarily mine or yours) gets done first, and the tough stuff is just tough.

It's also what makes the closed source model more difficult to deal with, as Microsoft isn't just one pool of programmers, rather thousands of coders working on largely interdependent projects. While it looks like they should be able to do this, it's a reality that it cannot. And it would be irresponsible for them to do so, given so many users, and so many inter-related apps. We just wish it could. That's why OSS methodologies have a bit of an edge in this context (and others).

Re:It's just not that simple... (2, Insightful)

Mr_Silver (213637) | more than 8 years ago | (#14157397)

That's why OSS methodologies have a bit of an edge in this context (and others).

Not much of an edge when you consider that there are at least two bugs in Firefox which haven't been fixed for 5 and 6 years respectivily.

Granted, they aren't as critical as the ones that come out of Microsoft, but I consider a couple of years to fix something more than a reasonable amount of time.

Re:It's just not that simple... (1)

RetroGeek (206522) | more than 8 years ago | (#14157491)

Thie is the downside to having a huge, inter-dependent set of apps.
and
thousands of coders working on largely interdependent projects
and
That's why OSS methodologies have a bit of an edge in this context

Ok, so having a large number of OSS developers, who are probably not even in the same country, working on projects is better?

*nix uses a "large number of small apps" paradigm. Which is why the pipe character is used so much in scripts. This makes each app(script) in the pipe chain vulnerable to changes in another app(script).

For instance if a script relies on a date beinbg returned by another app as m/d/y, and the date format changes to y.m.d, then the script breaks.

Too many unexpected consequences (1)

digitaldc (879047) | more than 8 years ago | (#14157244)

My guess is that if they did, it would take too long to test all of the patches to ensure that:

-The patches worked
-They didn't adversely affect other functions
-The patches come out on the 2nd Tuesday of the month

Do it again, do it right! (1)

endemoniada (744727) | more than 8 years ago | (#14157254)

My suggestion is that Microsoft reworks it's entire operating system. Catch a glance at Unix, Mac OS, BSD or whatever, just make a new operating system that DOESN't inherit all the combined flaws of the older systems.

Vista has already been completely rewritten, since the codee was too messy. Well, if they can do that, why can't they just rework the entire structure while they're at it. Harden the system at the core, don't make the fingertips bulletproof.

New update system (0)

Anonymous Coward | more than 8 years ago | (#14157255)

Screenshots of the new update system. http://www.tyigo.com/viewallimages.php?eid=1111 [tyigo.com]

Ah! (0)

Anonymous Coward | more than 8 years ago | (#14157256)

Good thinking George Ou why didn't they think of that before?

Hmm... seeing as we're in brainstorming mode here's something I just thought up:

Why doesn't the government give its money to all the poor people in the world so that we're all rich!

A massive army of programmers will do no good (3, Insightful)

teh kurisu (701097) | more than 8 years ago | (#14157265)

The best way to find a bug is to take the code away from the original programmer and give it to a dedicated tester.

The best way to fix a bug once it's found is to give the code back to the original programmer, and tell them to go fix. Because they know the code. And it's less likely that fixing the bug will introduce more bugs. Obviously, this limits the amount of people you can set to the task of fixing them - and in a project the size of Windows, there are a lot of them.

The reasoning... (1)

PhYrE2k2 (806396) | more than 8 years ago | (#14157278)

1. It's better to release a last-minute patch, so when it breaks something, you can claim it was an urgent fix rather than a poor design choice from the start (aka: skip costly regression testing)

2. Perception of fear: how can they get you to upgrade to Longhorn if there are no security issues with Windows XP? How can their spyware and other partners suceed if they close all of the holes? How can all those consultants fill their days if they're not applying patches to every workstation? They're doing you a favour and letting you keep your job. *smirk*

3. Nobody wants to download several megabytes when they can download a single patched DLL. Bandwidth is still expensive!

[/sarcasm]

The even bigger question is, why with the power, size, and focus on security (as well as play with hardware vendors) they have, why didn't they get it right the first time? Most importantly, why wasn't the utmost care taken on anything that takes foreign input (browser parsers, etc).

-M

Re:The reasoning... (2, Insightful)

borawjm (747876) | more than 8 years ago | (#14157383)

Most importantly, why wasn't the utmost care taken on anything that takes foreign input (browser parsers, etc).

I'd take a gander and say because you just don't know what people are going to throw at it until you let them have it.

It's more cost effective to release a piece of software and apply patches periodically than to attempt to work out all the bugs (which is almost impossible) before you release it.

Because... (1)

t_allardyce (48447) | more than 8 years ago | (#14157282)

No-one likes patching, that's why. When you release a product its highly likely that the night before the deadline you performed any number of quick hacks and workarounds just to make the shipping date, by that time you were probably sick of the product, sick of the way it failed to meet goals and bored of its flawed internal structure. You breathe a sigh of relief when you can finally hand off your project (and this goes for anything - software, design, art, literature etc) and get some sleep, ready to start the much more exciting next version with some great new design ideas that completely solve the previous problems. Then, a week later you're forced to stop working on your new project and go back to the old-and-busted project to fix some pointless flaws which you consider totally below you because you have already made them redundant in the new, as-yet unready version. Whats more these bugs are completely mundane and irritating to fix, there's no creativity going on and your most likely coming up with another set of hacks just to make it work and get it out of the way. Who wants to work on something like that?

Re:Because........Ah, the voice (1)

OneSmartFellow (716217) | more than 8 years ago | (#14157324)

of experience !

I couldn't have said it better

Re:Because... (1)

griffindj (887533) | more than 8 years ago | (#14157461)

You took the words out of my mouth

The reason is quite simple (1)

spidergoat2 (715962) | more than 8 years ago | (#14157285)

There's no money to be made in fixing problems and issuing patches. The money is in sales. Create a new and 'better' version and charge to upgrade. New versions = profit, patches = lost revenue.

That's a very simplistic view (1)

davidwr (791652) | more than 8 years ago | (#14157512)

There's no money to be made in fixing problems and issuing patches.

While maintenence may appear to be a money-sink rather than a money-maker, the reality is that it protects existing and future revenue streams.

Imagine if Microsoft refused to patch anything. Even ignoring the lawsuits, it would cost MS dearly in lost future revenue.

So, in a way, the money MS makes on insert-next-version-here is in part based on their reputation or lack one when it comes to maintaining insert-current-version-here.

Of course, if their code had fewer serious bugs this would be less of an issue.

Reality check (1)

vandenh (224583) | more than 8 years ago | (#14157287)

>If smaller software companies can patch all of their bugs serious or minor,

And this is already where it all goes down the drain... small software companies also cannot do that (unless they have a very slow product update cycle). I have worked for many big and small software companies and bugs/patches/testing is ALWAYS a big problem. Maybe we shouldn't focus on that, but on finding ways to design sofware in such a way that bugs can be detected by the software itself! (wow.. SF stuff) Or make sure our way of working with the business side (MORE features) is different. Software guys are from Mars and business partners are from Venus!

They don't *have* to! (-1)

Anonymous Coward | more than 8 years ago | (#14157301)

What part of "monopoly" are you people not understanding?

Can't patch CDs (1)

saskboy (600063) | more than 8 years ago | (#14157317)

Part of the problem is that recovery CDs for a mass produced computers can't be patched. You end up with the quandry of restoring an insecure system, which you have to put online to update before it gets infected. If someone doesn't have a firewall or NAT, then too bad they are toast again.

Also, if you "fix" something, it's not like it doesn't impact other things. Microsoft's Rollup 1 for SP4 Windows 2000 a few months ago broke the ability to save to floppy disks in Microsoft Office products. They fixed it later with version 2 of rollup 1 for SP4. You think the average person is going to know what all those numbers even mean?

Because it's such a huge company (1)

mindaktiviti (630001) | more than 8 years ago | (#14157327)

And things at huge companies tend to take a long time to finish. I wonder where the point of diminishing returns sets in. Typically mid-sized companies tend to have the resources to perform their services as well as keep customer satisfaction at an optimum level.

Maybe it's time for MS to break off into 3 sections? Just like where I work (huge municipal organization)...our project WILL save our city millions of dollars but what's happening right now? It's at a stand still because it's budget time. *sigh*

Unsafe at Any MHz (1, Insightful)

Doc Ruby (173196) | more than 8 years ago | (#14157330)

Maybe Ou is up at 4AM protecting Microsoft's customers for free because it doesn't cost Microsoft anything. Microsoft needs a class action suit loss, or steep hikes in their insurance rates anticipating such a loss. The days when publication of unsafe product exposés like Unsafe at Any Speed [wikipedia.org] transform an industry are long gone. Industries have learned to insulate themselves from books read only by the tiny American intelligentsia by publishing vast overbalancing PR. Some industries even have bought immunity from liability [bradycampaign.org] for their unsafe products. Since the Supreme Court has now found that software companies are liable for damages caused by their users' use of their unmodified products [eff.org] , maybe we will see Microsoft liable for the vast damage caused when people use their products the way they promote them. Or maybe we're looking forward to an imminent release of a WiFi "Microsoft Machinegun".

have I misread something (2, Insightful)

Shad_the_protector (931920) | more than 8 years ago | (#14157344)

If smaller software companies can patch all of their bugs serious or minor, ZDNet's George Ou asks, why can't Microsoft -- with its massive army of programmers and massive budget -- patch all of its vulnerabilities?

Ok have I missread something?

Small companies = 1 or 2 programs with each a couple of thousands lines of codes. Usually new program, so fresh and structured code.

Microsoft = dozens of programs, with each a couple of millions lines of codes. Usually based on ancient versions returning to the age of C when code was a little less structured than now and imprissivly patch over and over again.

This said, you also count that some microsoft software are dealing with complex coding like memory managing, thread managing, hell all the computer managing.

Also add that the goal of every microsoft user is exactly to find all flaws in microsoft and just point at them and says"HAHA! There is a bug there mr. MS." So it's not surprising that microsoft software have to deal with a lot of bugs.

I think that pretty much make a answer to why Microsoft is like this.

unchecked buffer (0)

Anonymous Coward | more than 8 years ago | (#14157348)

unchecked buffers were kind of cute in 1999....
Can't M$ run a unchecked buffer checker and then fix them all?
It is incredibly incompetent that there are still unchecked buffers in M$ software.

The best Microsoft patch to use... (1)

polterbyte (796780) | more than 8 years ago | (#14157352)

...is an eye patch.

Re:The best Microsoft patch to use... (0, Offtopic)

octaene (171858) | more than 8 years ago | (#14157471)

You mean an eye-eee patch [getfirefox.com] .

Dollars and Sense (1)

JamesGolick (891096) | more than 8 years ago | (#14157354)

Why would Microsoft want to fix these bugs, when their existence doesn't seem to be losing them much. True, Firefox is slowly gaining steam, but it seems to be that a good percentage of that switchover comes simply from the fact that Firefox offers tabbed browsing. My girlfriend's parents think that Firefox is what's causing problems with their computer (Windows XP Home with NO spyware protection or AV) With the launch of IE7, how many users will simply revert to their integrated browser?

Especially in the marketplace, no body is accountable until they are held as such. If Microsoft were held (financially) accountable, then they would patch everything they needed to, or provide something new altogether.

Corporations have a responsibility to one thing, and one thing only.

And it ain't us.

They Can't (1)

Anonym1ty (534715) | more than 8 years ago | (#14157364)

Microsoft can't just patch everything as easily as it sounds. The reason is that certain features in the program actually cause the security problem in the first place. In order to quickly patch these problems and close the security holes, you would essentially disable the entire feature. Added to this, the problem is that these features are part of Microsoft's strategy in the market place. Exactly as with he Win98/IE integration. Sure all the inherent security flaws that produced could be fixed, but then you loose browser integration the way the intended it. If you remove the browser from the OS, then it can be unbundled, then Microsoft hasn't got even the smallest leg to stand on in an anti-trust case. Basically the point is that it is completely unrelated to the software what the reasons are why they can't just patch everything.

How ironic (1)

doctorjay (860762) | more than 8 years ago | (#14157393)

He wouldnt have a job, or his job would be really boring if they did patch ALL of their bugs...

the author of the article can only ask this... (0)

Anonymous Coward | more than 8 years ago | (#14157395)

because he doesn't understand business. Anyone with a little knowledge of how large scale projects work knows that you can't fix everything, only the things that cost your customers the most money.

It's all about "cute" data structures (3, Interesting)

$RANDOMLUSER (804576) | more than 8 years ago | (#14157400)

Why don't we blame the real culprit? Microsoft's abiding love of data structures that look like this:
struct foo {
int length;
char [] buffer;
}

Where the whole thing is allocated dynamically, based on what someone else told you the size was.

Welcome to Corporate America (2, Informative)

TheRealFritz (931415) | more than 8 years ago | (#14157403)

In a company run by Software Engineers, bugs would be fixed before new features are added and we'd see life cycles similar to open source projects that produce typically stable and largely bug free 1.0 releases.

The reality of Corporate America, however, is based on quarterly results. Getting that next release out the door and being able to sell is everything. That means that all clean-up work (bugs, exploits, refactoring) will be prioritized along with new features and unless it's really critical will likely not get done for a long time, because they are lower priority since they bring no customer sales.

Unless and until those bugs affect the bottom-line, the company won't do a thing about them. A good recent example would be Sony's rootkit problem, which it turns out was pointed out to them before the public release on sysinternal's blog.

http://www.gloryhoundz.com/ [gloryhoundz.com]

OpenBSD can.. (0)

Anonymous Coward | more than 8 years ago | (#14157408)

It is all about attitude and focus.

Open Source proves that developers can work together asyncronous and distributed around the whole world. I can`t see any reason why any large organization can`t do the same.

OpenBSD proves again and again that their view about quality do reduce problems.

Microsof can't patch everything. (1)

paulwallen (825524) | more than 8 years ago | (#14157414)

becuase they don;t have the source code for everything:)

Dangerous Assumption in Article (2, Interesting)

sarlos (903082) | more than 8 years ago | (#14157427)

The article is making a very dangerous assumption here... assuming that other companies fix all their bugs. They are only fixing bugs that we know about. Who knows what they have found in-house that has remained unpatched because it was deemed too obscure.

Another thing the author is missing is that these competitors stay in business by creating the impression that all vulnerabilities are fixed. Microsoft is vastly more publicly responsible than the smaller competitors mentioned. In the interest of continued business, they are pretty much required to adopt a policy of full disclosure. Smaller companies are not required to do this as much because they are the underdog, and everyone loves an underdog.

If it was discovered Microsoft knew about some bugs and didn't publicly release the information, there would be massive outcry. If Mozilla did the same, they might get a slap on the wrist, but I doubt it would seriously affect their business. As I mentioned above, they are the underdog and everyone loves an underdog.

Spoken like a true non-developer (1)

Call Me Black Cloud (616282) | more than 8 years ago | (#14157435)


Why can't they just churn out patches? Testing. You have to be sure the patch doesn't break something else. That's just as important as fixing the holes in the software. So many things are interdependent in Windows it's impossible to know what effects changes will have.

Do you really think MS is sitting on code or ignoring security problems? If you do, you're naive. MS is a business - it doesn't pay to ignore these things.

Answer (3, Insightful)

Tom (822) | more than 8 years ago | (#14157444)

Incompetence, disinterest, different priorities, and no business reasons to do it.

Oh, he didn't really want an answer?

Simple Economics (1)

damiceious (819510) | more than 8 years ago | (#14157457)

Any intro economics class will teach you that monopolies are bad for the following reason : "They dominate the market and this means that they don't have to do any research or develop _really_ new product, so they don't."
This is classic monopoly abuse, plain and simple. If Microsoft goes out and sets the bar high for themselves, it'll cost them more in the long run, instead of costing us more.

At what point can we Sue them? (-1)

Anonymous Coward | more than 8 years ago | (#14157466)

I'm just wondering at what time we can sue them for not doing something to repair ancient security issues? Is there some grounds to stand on that after an large amount of time after security flaws are found that a product that is still supported has been fixed for 'knowlingly jepordizing their users computers'?

I realize it might take a lot fot this to happen, and it might cause products to stop being supported faster, but we need some sort of pressure to make developers more proactive to security issues!

It's not practical to "patch everything"! (4, Insightful)

Theovon (109752) | more than 8 years ago | (#14157493)

We're used to OSS products that can be patched in a day, but we're also used to seeing those patches break things in unanticipated ways, often making things worse.

We're also used to picking on Microsoft for having buggy software. But they have extensive and long testing procedures, without which MS software would be WAY buggier on release. Their software is massive (for some good reasons and some bad ones), so it's a huge undertaking to fully test it.

In order to avoid, as much as possible, unanticipated consequences of a patch, Microsoft cannot simple make the fix and release it. An argument could be made that if they were to do that, they would often create more vulnerabilities than they started with, so releasing too quickly would be a BAD thing to do. Windows 95 is an example of something that was released too quickly, lacking certain kinds of testing entirely; you can see the unfortunate results when you try to connect a Win95 box direcly to the internet and wait 5 minutes.

So, why can't Microsoft 'patch everything'? Here are the reasons:

(1) First, you have to FIND 'everything', and Windows is just massive.
(2) When you make a change, you have to test it extensively, which takes a LOT of time.
(3) Some patches are one-liners. Some affect large amounts of code that makes it even harder to anticipate consequences.
(4) Sometimes, you have to test things one at a time. This serializes your patch process in such a way that it just takes a very long time. This is very hard to avoid.

The fact of the matter is that if Microsoft were to 'patch everything', we would have a lot more to complain about. People should stop asking for stupid things and be realistic.

Even OSS projects can't 'patch everything' successfully. Sure, many of them are better designed from the start, so there are fewer things to patch, but when a patch needs to happen, the same amount of testing is going to have to happen, one way or another (either you release a beta and let it get tested for a while, or you just stick it in and wait for the shit to hit the fan and end up fixing the consequences the same amount of time later anyhow).

Also, certain people forget that Microsoft did go on a 'patch everything' hunt and DID fix a huge number of bugs. They still didn't find everything.

Oh, and if we're just talking about patching everything that's currently known, my argument still stands. Patching a bug of vulnerability is often quite difficult.

Only two dozen??? (1)

SilentJ_PDX (559136) | more than 8 years ago | (#14157511)

Currently, more than two dozen Windows XP issues remain unpatched.

Really? Only two dozen? If the author is foolish enough to think that Windows only has two dozen bugs, it's no wonder he's foolish enough to think it should be easy to fix them.

This post is not a slam against MS, but the article...

zero-day (2, Funny)

supergiovane (606385) | more than 8 years ago | (#14157519)

Had Microsoft fixed a low risk browser vulnerability six months ago, perhaps we could have avoided last week's zero-day exploit.


Maybe it should be named zero-year exploit.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>