There already exists a cooperation that ensures, that the right people get to know about bugs in time to be able to fix the bugs. I think Microsoft's problem here is, that they need more time to test bugfixes than most of the competition, because Microsoft's binary backwards compatibility and the "it's a released bug, ergo a part of the spec" attitude makes it an almost impossible task to fix certain things in Windows without making something incompatible.
Therefore, they are trying hard to avoid the common security bug alert system used by the rest of the software industry and tries to reinforce something that suits Microsofts better.
zlib showed this very well - all involved companies were told about the bug, and everybody created fixes except Microsoft, who were still unsure about what they would do about it after it went public. Microsoft has the same time to spend as everybody else, but they simply don't have the infrastructure to deploy bugfixes quickly for all the software they have released.
Having Microsoft sort bugs out for the customer is also something they can only do for limited time. Right now, security on Windows is limited to keeping hackers out of the computer, unlike Unix, where you also want to prevent one user to hack another user on the same computer. On Windows, it is simply assumed that if you have access to a computer, you can hack yourself into another user account on the same computer. On Linux and Unix however, it is assumed, that you may let a hacker use your computer all he or she wants, and this person can still not hack his/her way into other accounts on the same computer. This difference makes it possible for Microsoft to sort bugs into network related and non-network related security bugs, and customer's don't need to know about non-network related security bugs.
But - with Terminal Services, advanced webservers etc., and the assumption that most hackers are employed by the hacked company, Microsoft needs to do something about the internal security of Windows, too. And then they'll need a better, automated bugfix system for their software, and they'll need to stop filtering bugfixes as they plan to do now.
Dybdahl. |
