This is possibly the simplest, best exposition of this problem that I have seen. As a consultant, I despair of finding ways to keep my dial-up customers current. Most of them just give up, repeatedly, despite my best efforts to encourage or terrify them. Six months old security updates are completely inadequate. Such CD's should be cumulative and updated at least once a month even if they are only shipped quarterly. The huge sump of unprotected users out there are affecting all of the internet, and this includes broadband users.

Now, I do have one further problem with MS on this front. They casually include function updates along with critical updates. Those should be in a completely separate process on a separate CD, requiring clear, short summaries of EULA changes or things like DRM that are included in new products. For example, I will not allow my customers to install any WMP functional updates, because of the DRM implications of recent versions. On the other hand, I do want them to have security updates, always. DRM is not a security issue, period, exclamation point. MS use of it's update function to stealthily extend it's reach and control should be actionable under any number of laws.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/230/25575#25575