This announcement has more to do with marketing and economics then security or "information anarchy". The bottom line is that Microsoft produces buggy insecure products because they prefer to spend resources on adding new "features" to products rather then QA'ing, Security Research or redesigning code to be simpler, more functional and more effective.

The reason "features" are a priority is because the only way Microsoft makes money is to get people to buy a new version of their products every couple years. In order to do that they need to advertise that their new products have important new "features" (which in reality usually translate to superfluous bells and whistles that do absolutely nothing to improve the functionality of the product). Microsoft can't really sell its new products to consumers on the fact that they are more secure or less buggy because that implies that their old products are insecure and flawed..... and we all know in the real world when a company sells a flawed or unsafe product it is the company's responsibility to recall and replace that product at its own expense....not to force the consumer to buy a whole new product in order to get that security.

The whole reason this "feature" based marketing spin works for Microsoft is that most of the people that buy their products are fairly ignorant about technology and security. That isn't intended as an insult to purchasers of Microsoft Products (hey, I'm an MCSE, myself). However the simple fact is that the average consumer knows less about what makes their computer work then they do about what makes their car work. On the corporate side of things (where it really should matter) most of the people making purchase decisions about software aren't technical people, they are business management types. Your average CTO today is far more likely to be an MBA then an engineer.

Those people automatically assume (falsely) that the products Microsoft sells them are secure and function as they were designed. So the only thing they really pay attention to in advertisement are what new "features" the product is supposed to have.

Where does non-disclosure come into all this? Well, anytime Microsoft has to fix a flaw in one of their products it costs them money. Microsoft really doesn't care if somebody gets hacked because of a flaw in its products. What it DOES care about is whether sales of its products are impacted due to bad publicity. When a flaw in one of Microsoft's products is fully and publicly disclosed it FORCES Microsoft to spend the resources to fix that flaw in a timely manner because Microsoft doesn't want to risk the kind of publicity it would get if it were PUBLICLY SEEN to have a flawed product and to be doing nothing to fix it. The more limited the public disclosure of such flaws is, the less publicity there will be about them. Less publicity means less impact on the sale of its products, which means it can choose to spend far less resources addressing those flaws or even ignore them completely. It has no real incentive to fix them.

Summary: limited exposure = good for Microsoft's bottom line & bad for consumers and the security of the internet.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/281/8692#8692