|
Thousands of hackers are working away every day to find ways to exploit operating systems, networking protocols, and applications. Legitimate security companies do the same thing, hoping to beat the bad guys to the punch. When a vulnerability is discovered, whether by a hacker or a security expert, the software vendor is then expected to come up with a fix. That's a reasonable expectation. What's not always reasonable is the expectation that the software vendor will have a fix available immediately.
It may have taken the security experts literally years after the release of the software to discover a way to exploit it, but many of them then label the software vendor as irresponsible or lazy if a patch isn't rushed out the door within a few days. Often, under the tremendous pressure of public opinion, this actually happens. Sometimes it takes longer. Sometimes the quickly released patches work great. Sometimes they don't.
Anyone who's ever had his/her system hosed by a hastily-written security update knows that there's a downside to releasing patches before they've been fully tested on a lot of systems with different configurations. Has this ever happened to you? You read the horror stories about the latest discovered security flaw in a piece of software you're running and of course, you don't want to leave yourself open to attack so you immediately download and install the "fix." And lo and behold, it ensures that you won't be attacked, all right - because it also prevents you from connecting to the Internet, or maybe from connecting to a network at all, or maybe even from booting the computer. Your data is safe now, even from you.
Microsoft and other large software companies have a vested interest in seeing that security vulnerabilities in their products get fixed, but they also have a responsibility to those who use and depend on their products to get work done to "first, do no harm." That's why they have entire departments dedicated to responding to security incidents and reports of vulnerabilities, and set procedures for creating and testing patches before releasing them to the public. You can read about the Microsoft Security Response Center (MSRC) process for managing vulnerabilities at http://www.wxpnews.com/rd/rd.cfm?id=060110ED-MSRC. I personally know that there were a lot of people on that team who worked through the Christmas and New Year's holidays, when many of us were spending time with our families or out partying, to address various security issues that had come back over the holidays.
It's easy for us to criticize software companies (and we'll continue to do so when they do something that merits it, such as imposing customer-unfriendly licensing agreements). But as we begin a new year, I think it's a good time to acknowledge the long, tough hours of hard work that employees of those companies put in to bring us consumers and IT professionals the features that we ask for, and to respond to security concerns as quickly and effectively as they can and get those patches out quickly, and at no cost to us. In many cases, company employees could make much more money as consultants or critics, but they stay with the company and forego sleep and personal lives to bring us better software (not perfect software; there's no such thing). I salute them.
Editor @ WXPNews
|