Why Can't Microsoft Just Patch Everything? 640
paneraboy writes "If smaller software companies can patch all of their bugs serious or minor, ZDNet's George Ou asks, why can't Microsoft -- with its massive army of programmers and massive budget -- patch all of its vulnerabilities? Had Microsoft fixed a low risk browser vulnerability six months ago, perhaps we could have avoided last week's zero-day exploit. Currently, more than two dozen Windows XP issues remain unpatched. Ou thinks Microsoft ought to fix them all." From the article: "Almost 4 years after the launch of Trustworthy Computing, I found myself wondering why am I staying up till 4:00 AM to deliver an emergency set of instructions (Home and Enterprise) to my readers because Microsoft felt it unnecessary to patch a flaw six months ago that was originally low risk but mutated in to something extremely dangerous."
Seems like some people don't understand coding (Score:5, Insightful)
Do you really think if Microsoft COULD do it, they wouldn't.
patch the leaky boat (Score:5, Insightful)
It can't be done ... (Score:5, Insightful)
I think MS has come a long way from where they were, but I agree. To the people who claim it can't be done: OpenBSD [openbsd.org] does it!
Because they don't have to (Score:5, Insightful)
People will still buy thier product, people accept that it sucks.
Unless they see a good ROI on patching or developing good code they won't.
Quite honestly if it isn't a worthwhile use of their resources they shouldn't patch code.
When there is serious competition and code quality becomes a competative advantage they'll fix it.
not a priority (Score:5, Insightful)
I ask the same question (Score:5, Insightful)
Firefox Bugs? instead, they have to release a "new" version... just freeze the freaking lreleases and patch your bugs!
No, OSS is not free of bugs
Microsoft and Everything don't mix (Score:5, Insightful)
All kidding aside, Microsoft has a huge amount of users, maybe more than any other product in existance (I didn't do the research). This does mean that more bugs will be found, and the reason behind not fixing certain bugs may be that the bug was addressed in a future rollup or patch already. Because Microsoft is a massive corporation with so many departments, it is possible that Microsoft BugCentral says "Fix this!" and Microsoft PatchCentral says "We fixed it in Article 931321 coming next week" and Microsoft ReleaseCentral says "We're waiting for a fix on another bug before releasing that."
I'm not a fan of it, but it is really hard to just come out and say they're ignoring a bug, when it may be something deep set within the software (hard to remove) or it might be addressed but on hold for another reason (opened up another flaw?). If we think we as geeks found all the vulnerabilities, we're fooling ourselves. Windows is a massive program, and even Linux has ongoing flaws. When Linux has as many third party apps and interconnecting drivers as Windows does, I'll accept a complaint towards getting things fixed post haste. Until then, we just have to (thankfully) support third parties that give us options! (And paychecks)
Re:Good ole' 2002 (Score:2, Insightful)
What the? (Score:1, Insightful)
As much as we may despise it, Windows is a very large, complex piece of software. As bugs are fixed and features added, more bugs are created and so the cycle goes on.
This is the reality of software development. Does he really think that if Microsoft could fix every bug they wouldn't do it?
Re:Seems like some people don't understand coding (Score:5, Insightful)
Do you really think if Microsoft COULD do it, they wouldn't.
Just because they CAN do something doesn't mean that they WILL. Anybody care to remember what it was way back in the day with Microsoft software? Anybody remember how they ignored holes that were exploited far worse then this one until the public outrage overwhelmed their PR spin?
They don't look on security as anything other then a marketing ploy.
A massive army of programmers will do no good (Score:3, Insightful)
The best way to find a bug is to take the code away from the original programmer and give it to a dedicated tester.
The best way to fix a bug once it's found is to give the code back to the original programmer, and tell them to go fix. Because they know the code. And it's less likely that fixing the bug will introduce more bugs. Obviously, this limits the amount of people you can set to the task of fixing them - and in a project the size of Windows, there are a lot of them.
Re:Seems like some people don't understand coding (Score:3, Insightful)
Unsafe at Any MHz (Score:1, Insightful)
have I misread something (Score:2, Insightful)
Ok have I missread something?
Small companies = 1 or 2 programs with each a couple of thousands lines of codes. Usually new program, so fresh and structured code.
Microsoft = dozens of programs, with each a couple of millions lines of codes. Usually based on ancient versions returning to the age of C when code was a little less structured than now and imprissivly patch over and over again.
This said, you also count that some microsoft software are dealing with complex coding like memory managing, thread managing, hell all the computer managing.
Also add that the goal of every microsoft user is exactly to find all flaws in microsoft and just point at them and says"HAHA! There is a bug there mr. MS." So it's not surprising that microsoft software have to deal with a lot of bugs.
I think that pretty much make a answer to why Microsoft is like this.
Re:patch the leaky boat (Score:5, Insightful)
Not to mention that a new hull design, or switching from sail to diesel, might require that you retrain all your sailors too!
Re:The reasoning... (Score:2, Insightful)
I'd take a gander and say because you just don't know what people are going to throw at it until you let them have it.
It's more cost effective to release a piece of software and apply patches periodically than to attempt to work out all the bugs (which is almost impossible) before you release it.
Re:It's just not that simple... (Score:3, Insightful)
Not much of an edge when you consider that there are at least two bugs in Firefox which haven't been fixed for 5 and 6 years respectivily.
Granted, they aren't as critical as the ones that come out of Microsoft, but I consider a couple of years to fix something more than a reasonable amount of time.
Answer (Score:4, Insightful)
Oh, he didn't really want an answer?
Re:It can't be done ... (Score:2, Insightful)
You can go on to claim 'well then just install secured packages as well', but it turns out third party apps never run as well as integrated apps. And microsoft is aiming at the people who want a working system out of the box, not a system that's basically a clean slate that you need to draw up yourself.
It's not practical to "patch everything"! (Score:5, Insightful)
We're also used to picking on Microsoft for having buggy software. But they have extensive and long testing procedures, without which MS software would be WAY buggier on release. Their software is massive (for some good reasons and some bad ones), so it's a huge undertaking to fully test it.
In order to avoid, as much as possible, unanticipated consequences of a patch, Microsoft cannot simple make the fix and release it. An argument could be made that if they were to do that, they would often create more vulnerabilities than they started with, so releasing too quickly would be a BAD thing to do. Windows 95 is an example of something that was released too quickly, lacking certain kinds of testing entirely; you can see the unfortunate results when you try to connect a Win95 box direcly to the internet and wait 5 minutes.
So, why can't Microsoft 'patch everything'? Here are the reasons:
(1) First, you have to FIND 'everything', and Windows is just massive.
(2) When you make a change, you have to test it extensively, which takes a LOT of time.
(3) Some patches are one-liners. Some affect large amounts of code that makes it even harder to anticipate consequences.
(4) Sometimes, you have to test things one at a time. This serializes your patch process in such a way that it just takes a very long time. This is very hard to avoid.
The fact of the matter is that if Microsoft were to 'patch everything', we would have a lot more to complain about. People should stop asking for stupid things and be realistic.
Even OSS projects can't 'patch everything' successfully. Sure, many of them are better designed from the start, so there are fewer things to patch, but when a patch needs to happen, the same amount of testing is going to have to happen, one way or another (either you release a beta and let it get tested for a while, or you just stick it in and wait for the shit to hit the fan and end up fixing the consequences the same amount of time later anyhow).
Also, certain people forget that Microsoft did go on a 'patch everything' hunt and DID fix a huge number of bugs. They still didn't find everything.
Oh, and if we're just talking about patching everything that's currently known, my argument still stands. Patching a bug of vulnerability is often quite difficult.
Re:It can't be done ... (Score:5, Insightful)
Microsoft (and other vendors) make a cost-benefit analysis.
And that's where we get screwed.
Re:What the? (Score:5, Insightful)
This is not the reality of software development. This is the reality of incompetent developers and management perhaps: making technical decisions based on how to lock in your customers, work around lawsuits, and shove software out the door to crush the competition.
Plenty of systems---yes, open source ones are good ones to look at---are not so bug-ridden and complex that they can't stay ahead of the curve and react quickly. If you write good software, if you're at least decent at what you do, that is the reality of software development.
But, they don't. They have reports of bugs for months, often, and do nothing until it's publically reported and/or there's an exploit in the wild. Does it take Microsoft 6 months to come up with a patch for a single buffer overrun? Or are they just too arrogant and think they're above doing anything about problems until they're exposed?
How often do we see bug reports from Microsoft about a critical vulnerabilities, compared to third-party reports?
Re:Because they don't have to (Score:5, Insightful)
This is something that winds me up terribly about Microsoft, or rather, the people who use Microsoft software. For example, a friend has had absolutely terrible problems with his Windows XP laptop, tearing his hair out stuff with viruses and worms and other issues. He was going to buy a laptop for his wife and asked me for my advice. I said, buy an Apple laptop and you won't have all these problems. So what did he get? Another windows machine. Why? WHY??? Because everyone uses Windows, and he was afraid of something different. And this isn't the only example.
I got my old mum and dad a Mac Mini - they love it, and their friends coo over the slide show software and ask me how to buy one. I explain it's an Apple computer, it's cheap and compatible and will have all the software they need already installed. Then I find out later they've brought a Windows machine, because their son uses one and they were afraid that if they got an Apple they wouldn't be able to email him.
Microsoft survives because of the fear most people have of something different. Drives me nuts. My only recompense is saying to these people "You asked my advice and I said buy a Mac then you wouldn't have these issues. So sorry I can't help you. " when they phone me to solve their stupid problems...
Rant over.
Mod parent up! (Score:5, Insightful)
1) Patches to fix code flaws in an otherwise sound security model.
2) Band-aids for a flawed security model (anti-virus updates are in this category).
Microsoft focused on "user friendly" and "easy of use" for so long to the detriment of security. And security cannot be retro-fitted to a system.
When they merged IE with the OS, just to be able to beat Netscape, they opened the OS to a whole new category of exploits.
And then ActiveX made web app programming so much easier
Re:Seems like some people don't understand coding (Score:1, Insightful)
If there wern't any bugs, why would you replace it (Score:2, Insightful)
Software (despite what M$ would have us believe) doesn't wear out.
The only way to sell new stuff is have it break down. They only fix a few vulnerabilities at a time to make us believe they're trying to keep it safe, but they really built the "rust" at the factory.
Add a few new "features" (read code bloat) and the replacement cycle starts all over again.
They're probably secretly supporting a few exploits the keep the damand up.
Re:Unsafe at Any MHz (Score:3, Insightful)
Comment removed (Score:5, Insightful)
Strawman argument... (Score:5, Insightful)
If smaller software companies can patch all of their bugs serious or minor, ZDNet's George Ou asks
So if I go looking for bugs in say the Opera browser I wont find any, because small companies patch all their bugs?
Nobody patches all their bugs; not small companies, and not large companies. The argument is a piece of sophistry that simply sets up another round of MS bashing. A fun sport, but it shouldn't be mistaken as anything exccept sport.
Big OS +Lots of employees + Techsupport = $$$$ (Score:3, Insightful)
Now, I can't say for certain, but I imagine that means that every time they release a new OS, their support staff grows bigger, whether in house or contracted out (I'm not sure how MS handles it).
This is ALOT of people folks.
So, you're in charge of keeping MS a growing profitable company. Does it make sence to focus your time on patch after patch after patch, which does nothing but tie up your employees with aditional support and coding while in no way contributing to the effor of actually paying them? Do you focus on pushing out the new OS, forswearing support of a decades worth of previous OS's, Office, and other programs (I'm not going to venture a guess at what they're still supporting... and how many questions they have to field about things they're not still supporting, and how many questions they get for, I dunno... any program that was ever made for PC that people have trouble making run out of the box.."
Smaller companies don't have tis problem. For most of them, all they need is a relatively short testing period to make sure itruns on Windows. Microsoft has the reverse problem : to make sure ANY legitimate programs, however poorly implimented, run out of the box whilte at the same time distinguishing between those and malicious unwanted programs. They can't cater to the smart people either. Linux has less bugs, but lets face it; even the easy to instal builds are a brain job for newbies, and impossible for most grandmothers.
So yeah, Microsoft has a full plate, and as ugly as it sounds, I doubt its economically fesable for them to fix everything. They have to prioritize. New features= new money. New patches = no money + continued expenses.
Conspiricy theories aside, does anyone really think they *like* having a reputation for buggy software?
Patching Vulnerabilities. (Score:1, Insightful)
Additionally, the size of the company is, in a sense, a two-edged sword. Sure, Microsoft has a ton of programmers and developers, which would indicate they certainly have the manpower for repairing exploits. However, when you have so many different people working on the same project, you run into problems. If you write a program entirely by yourself, it's relatively easy to look through your own code and see where you messed up. On the other hand, if you worked with a dozen other programmers together on a project, it would be considerably harder to figure out exactly where the issues was. Multiply that difficulty by 1000, and that's where Microsoft is. The term 'clusterfuck' comes to mind...
Re:Seems like some people don't understand coding (Score:3, Insightful)
"Quality" (Score:5, Insightful)
There was a business mantra in the '90s, and still out there today, that defines "quality" as whatever it takes to please the customer. Consultants hauled in buckets of money generating cliches out of that. Companies may be driven by customer satisfaction, which is fine as far as it goes, but it doesn't mean their products are any good.
The flaw in the cliched definition is that often the customer doesn't know what they're getting or have any basis to judge how good the product is.
Microsoft, being driven by market share, is a step removed even from that level of quality. They only want their customers to be happier with their products than with the competition (which is often another of their products or an earlier version of the same one).
Making things properly is not in their range of capability.
Re:Because they don't have to (Score:2, Insightful)
I am waiting for Apple to release the Mac Mini 6-Pack, so I can upgrade the rest of my family.
Re:Mod parent up! (Score:2, Insightful)
Oh, you thought you actually had something there...
So really, you have no idea what you are talking about.
Maybe still denying the root problem (Score:5, Insightful)
Imagine you write a long long book. Even if you try to correct all the typos you may miss some of them. It is hard to publish a book with no typos at all.
I think that was great fun! If MS management believes that the security problems are "typos" then I understand they cant fix them all. Of course, security problems are more like problems with the story line: contradictory events, inconsistent background and such things.
Maybe they still have not accepted that the reason for their security problems is the poor design of Windows (particularly integrating things very freely). As long as they dont accept the truth they will try to correct typos, and that will not make the story any better.
Re:Strawman argument... (Score:5, Insightful)
Some more points about your criticism: strawman arguments [princeton.edu] aren't what you accuse the original post of being. They are weak or sham arguments created by an opponent to easily refute, not arguments made by the original party. And your Opera example is predicated on exactly the strawman I pointed out in the reponse to the original post: you read "if smaller software companies" as "if all smaller software companies", and then argues that one smaller company doesn't patch all of their bugs. When in fact the implicit qualifier in "if smaller software companies" is "if some (or any) smaller software companies". So their predicate is valid if even a single smaller software company patches all its bugs. And, as I mentioned, the bugs that matter in this argument are those that are reported, known, and security. If you insist on "all bugs" being literally all-inclusive, you're arguing for that release to be the final one, without even new features - sometimes known to some users as fixing bugs of omitted features.
So, as usually seen in posts by people who call factual, logical criticism "bashing" (of MS or any other party), you at last accuse the fair criticism of being "sophistry" and "sport". True to form, you project the serious flaws in your own strawman and absurdly reductionist argument onto your targets. It might be sport for you, but it's unsporting conduct.
Re:It's all about "cute" data structures (Score:3, Insightful)
Code is not executed from the heap (data segment), unless you explicitly point the instruction pointer there. This is actually pretty difficult to do. To do it in a standard program run, you would have to write self modifying code [wikipedia.org]. To force a program that otherwise *wouldn't* execute code from the heap, you would first need to corrupt the stack and adjust the return pointer to the pointer at your instruction buffer. But if you can't corrupt the stack, you're still just wasting your time.
To say that self modifying code is a rarity is an understatement in the extreme. There are very, very few applications that do it--you do it only when the cost of a single branch insruction would significantly affect your performance. (Which is to say, virtually never, with the exception of software rendering pipelines).
The first press release you linked (the MS one) mentions that the vulnerability is low, because the heap is dynamic and you would have to overflow on another structure for which you knew the behavior, and then where able to bend some stack corruption out of. Alternatively you could overflow onto another structure that held an arbitrary execution buffer. An analogy here would be that if you're a grain of sand on the beach on the northshore that's about to be overflowed, the neighboring grain of sand is a grain of sand from the beaches of France. Seriously. Scripting could simultaneously be used to help imrpove the odds of a successful exploit, but it absolutely does NOT ensure success. In the wild, I would bet that the chances of a successful infection as a result of looking at a webpage with this problem are approximately 1 in 10,000, if not lower. Even with the heap preparation through scripting.
The second press release is simply being paranoid. They found an overflow exploit, but there's no information to suggest that it could actually be used to execute arbitrary code.
A little knowledge is very dangerous. Knowing how C++ compiles programs to fit into the assembly model would be very beneficial knowledge for anyone conisdering how buffer overflows can be used to seize control of a computer.
Buffer overflows by themselves are NOT the problem. They are only (consistently) problematic when they occur in the stack. In the heap, they are little more than nuisances (in the 99.99% case).
The answer is obvious (Score:1, Insightful)
Mythical Man-Month (Score:2, Insightful)
Often times, the more people you put on a specific problem/project, the SLOWER it goes because of issues like communication, and stumbling over each others' toes, not to mention simply dividing tasks.
Re:Because they don't have to (Score:3, Insightful)
I have no problems with people recommending a Mac as a possible solution to personal computing woes, but people are more often than not dishonest or omissive about the drawbacks of the systems they recommend.
Fiduciary Responsibility (Score:1, Insightful)
Companies must sell the shoddiest, cheapest piece of crap that the customers will still buy for a given price point; it's a basic law of capitalism. Customer satisfaction is absolutely irrelevent, except for when it impacts sales, present or future. The job of a corporation is to give people only as much as they will pay for, not what they actually want.
People have repeatedly proven they will pay for bad software. They'll pay helpdesks to explain poorly designed software instead of buying better designed software, because they can't tell the difference, and good marketers keep blurring the difference. They'll pay Microsoft "support lines" hundreds of dollars for a few hours of shoddy assistance in the vague hope of being able to work around the bugs that Microsoft put in their code in the first place. They'll buy "service packs", "upgrade versions", and "bugfix releases" of software that was shoddy to begin with.
If Microsoft sold a perfect operating system, they'ld spend millions of dollars on bugfixing, and only get one sale. If they keep selling crap, they can sell copy after copy of bugfix releases, and people will keep buying, because they only have to pay a bit more each time, and they have a pressing need to solve an immediate problem (overcome a specific bug).
So long as it's in Microsoft's financial interests to release buggy code, they will continue to do so. Bugfixes cost money, and releasing buggy code generates profits through upgrade paths and support contracts. The day those economics cease to apply, expect Microsoft's code to change. Until then, don't hold your breath: Microsoft, like all corporations, is out to maximize profit.
Fixing every bug isn't financially viable (Score:2, Insightful)
This post pretty much sums up why is isn't practical for Microsoft to fix every single bug. The harsh truth is that it's (financially speaking) not worth it.
Re:Mod parent up! (Score:3, Insightful)
It's not just ActiveX. One of the examples linked to in the article involves a corrupted font file being able to bring the OS down.
At least a part of the problem is Microsoft deliberatly writing "sphagetti code" in order to make applications be a part of the OS.
Unless it is seperated from OS, ActiveX will always be a threat to the security of a Windows PC.
A problem from Microsoft's POV is that if ActiveX was structured module or IE was just an application it would be a lot easier for a third party to replace Microsoft's bits of Windows.
Re:It's all about "cute" data structures (Score:5, Insightful)
I beg to differ. MFC may not contain this sort of thing, but Win32 and the system API behind it absolutely, positively include lots of structs like that. Check out the serial port DCB struct, or many of the associated serial-communications related structs, for example. Check out almost any TAPI-related struct. Many other subsystems are the same, I'm sure.
Usually, the length is actually used as a version code, not a buffer limit. OS code and user code can both check the length to see which version of the struct they're dealing with. As long as it's really used that way, it's not a problem.
this kind of struct will *never* be a problem. Let's consider all of the cases:
Allocating the struct isn't the main problem. The structs Win32 hands back can be downright baroque in their complexity, including variable length data objects and pointers to those objects. An application program written with the assumption that those data objects will not exceed some documented maximum length could easily wind up with a buffer overflow on the stack when interpreting, parsing, or otherwise manipulating a maliciously constructed struct.
Let's assume for a second though that someone gives me the buffer pointer...
Aren't you hosed right there? If the pointer points to your own stack, and you write through it, then bye-bye process. If what you write is some data chunk also provided by the same malicious someone, then you could very well be dumping exploit code right into your own stack.
4 words (Score:4, Insightful)
smash.
Stupid and Arrogant? (Score:2, Insightful)
Wow, run-on sentence.
Short version: You keep saying those words. I do not think they mean what you think they mean.
There are an infinite number of bugs (Score:3, Insightful)
Windows contains above 100M lines of code (recollection from some time back, probably more now).
The overall design philosophy is 'tight integration', so everything affects everything.
Any software testing problem is combinatorial: all combinations of inputs checked against all outputs. This is why testing cannot be used to produce a quality product, only to check whether the development process is capable of producing a quality product.
I guarantee you that MS's bug list for each product is in the 10s of 1000s. It is a major effort to even sort through bugs and choose the most critical, consolidate by root-cause, isolate to DLLs, AND REGRESSION-TEST THE FIX(es).
In a large system, the overhead of source code management (checkout, change, test, merge with the release with the bug, and then merge into later releases of code) is enormous. The productivity of people doing bug fixes in these large systems is very low, no matter how expert they are. This is why developers HATE fixing problems in released code.
No large company can fix all their bugs, even when bug fixes don't generate new bugs.
Lew
They don't have that much money (Score:3, Insightful)
Go back and read Fred Brooks' Mythical Man Month. Microsoft doesn't have the money to hire enough coders to fix all their bugs. Their code is just too complex for that to work. Each coder coming in to change something affects all (most) of the others. Hiring more coders just makes it more difficult to fix bugs.
Where I work there are 5 programmers on a project that was written from scratch within the last year or two, and we were all on the project from the beginning. Even still we still have problems where two different coders are assigned to two seeming different bugs that have subtile interactions. More than one patch was stopped at the last minute because it overwrote a file from a different patch. (We use CVS which helps a lot, but it is not perfect - I'm told most companies do not use any version control, I have no clue how they can get any patches out)