Tuesday, March 15, 2005

Early MS patches for US government!

Microsoft has revealed that it will provide the US Department of Homeland Security (DHS), the US Air Force (USAF), and similar organizations early access to software security patches that it will later release publicly. Security experts immediately assailed the move out of fears that information about the patches--and thus, the flaws-- could find its way into the hands of malicious hackers.
Here's the problem: If Microsoft provides detailed information about a Windows security flaw far enough in advance of the public fix, malicious hackers could use that information to construct malicious software (malware) that exploits the vulnerability. But Microsoft is providing only the actual patches, not detailed information. But hackers are already reverse engineering patches the day the patches are released to discover which software processes the patches change, and thus, in many cases, gather information about the flaw they fix.
However, that's generally difficult and time-intensive work.
Although the company acknowledges there is some risk, Microsoft tries to counter these fears by noting that it will disseminate patches only to trusted government agencies. However, reports last week noted that the DHS would provide other government agencies with access to the Microsoft patches as needed, heightening fears that the patches could be used for illicit purposes: The patches will likely be provided to a wide range of people, any one of whom could spread the code to hackers.
For me this approach is unacceptable as other corporates will not get access to these however I like the idea. MS should look into the possibility of creating their OS more securer.