Is the release of a security update for MS Windows 7 two weeks before it's available to the public a sign of security troubles to come, or is it a sign that Microsoft is finally paying real attention to security?
Microsoft's upcoming presentation of Windows 7 at PDC2008 is scheduled for next Tuesday. Among other things, it is expected to fill in a gap in Microsoft's operating system strategy, addressing the need for OSes that will run efficiently on a class of laptop computers that has come to be called "netbooks".
The growing popularity of netbook laptops such as the Eee PC, most of which run a custom Linux distribution with MS Windows XP only offered on the most expensive models, has led many to suggest that low-power, highly mobile, efficient, and low-cost little computers like the Eee PC might represent the tipping point for mass adoption of open source operating systems. The words "the year of Linux" have been uttered many times.
There's speculation that MS Windows 7 will address the netbook market more effectively than the pared-down version of MS Windows XP Home Edition that is offered on the most expensive Eee PCs. On Tuesday, Microsoft is expected to provide a pre-beta version of Windows 7 for attendees of PDC2008.
This is where things get strange:
A highly dangerous security vulnerability was discovered in MS Windows 7 between when the CDs to be distributed at PDC2008 were created and now. Microsoft has, as a result, released a security patch for software that hasn't been released yet. The patch announcement says:
A security issue has been identified that could allow an authenticated remote attacker to compromise your Microsoft Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer. This update is provided to you and licensed under the Windows 7 Pre-Release License Terms.
I'm tempted to make jokes about security vulnerabilities being so numerous in something created by Microsoft that the company's patches have started appearing before it's even available. "Oh, it's starting already," I'm tempted to think. That's not really the lesson to be taking from this.
What I find remarkable is that Microsoft has provided a security patch before it is needed. In the past, the company's record for providing a patch to the public was ten days — a dismal record, considering the fact that other operating systems' average patch time is less than that. With this Microsoft security update, available for almost a week already, we have a patch available 13 days before anyone outside Microsoft will even have the operating system.
I don't know how long ago the MS Windows 7 CDs were created, and I certainly don't know how long ago Microsoft became aware of this vulnerability. As such, I don't actually know how long it took Microsoft to develop, test, and release this patch. For once, I hope that a security update took longer to go through all of that, rather than taking less time, because it might suggest that Microsoft did a very thorough job of properly patching the vulnerability. Since there isn't as much urgency, from the point of view of the world outside Microsoft's walls themselves, it makes sense for the company to take its time and do the best job it can.
Superficially, however, a security update released 13 days before its public user base will even potentially be affected looks like a good sign for Microsoft's future attention to security. The company's marketing department and executives — and Bill Gates himself — have been talking about the company's increased focus on security for years, now. On the other hand, it seems likely that this happened only because Microsoft had a lot of lead time before the patch would be needed. A better test would be if another such vulnerability were discovered, say, today. How quickly would an update appear?
If this event is what it superficially looks like, however, Microsoft may finally start walking the walk after talking the talk for so long. Only time will tell.
Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!