Thursday, August 30, 2007

What are Microsoft Thinking?!

Microsoft has, in the past, had a reputation for not taking security seriously. It had previously run the company on the idea that users want features and that is where the development costs went. Security was put only in where it couldn't be avoided.

Things changed and security became a feature. Microsoft woke up and have done an amazing job of establishing a patching schedule (Patch Tuesday) and supplying tools like WSUS and MBSA to make sure that patches are rolled out with minimal issues.

Thats great for larger organisations but while my PC at work is always up-to-date and secure, my PC at home has been lagging. I feel rather safe because it is not connected to the Internet 24/7 and is firewalled when it does dial up. Yes, dial up. With a modem. I don't process any funny documents on the box so it is really in a safe world of its own.

But being a security professional I feel that I should take some time to patch the box just to be sure.

So...lets get back to that modem thing. My modem does not run at 100% and the connection is pretty faulty. In South Africa local calls are charged for so it could get quite pricey to patch my machine not to mention the amount of time that my phone at home would be engaged.

That is for my one PC... if I had others the time to download and patch would be longer.

Enter the amazing AutoPatch software. All the Microsoft Patch Happiness you can get (and other stuff too!) all on one little platter! Basically it is all the Microsoft Patches on CD with a utility to work out what is needed and deploy. Download it at work, burn it, take it home and patch patch patch. This is one amazing little package and so necessary for smaller companies and home users.

Microsoft also benefit with the bandwidth savings and happier customers (isn't that what business is all about?)

But now Microsoft have instructed AutoPatcher to remove the Microsoft patches from their site. They are quite allowed to do this under copyright law because the patches are really Microsoft patches repackaged. It means that AutoPatcher really doesn't have much of a purpose though.

I can understand the fact that Microsoft doesn't want to face legal liability if AutoPatcher breaks a third party machine but I have no idea now how I can patch my home PC quickly and easily like I was able to before.

If I were Microsoft I would have bought out AutoPatcher for less than Bill Gates makes in a day and renamed it Microsoft CDPatcher. That move would have shown that Microsoft is serious about security and cares for customers rather than serious about security only to make money.

As it stands today I think Microsoft has made a mistake.

No comments: