Digg this story   Add to del.icio.us  
Microsoft's Stance on Piracy Affects Us All
Oliver Day, 2008-11-14

For the last few years, Microsoft has wrestled with their stance on piracy. Pirated operating systems are just like legitimate operating systems in terms of their exposure to vulnerabilities: Users must install patches or they will be compromised.

As it stands today, Microsoft's policy allows pirated copies to receive patches automatically through AutoUpdate, yet forbids them from downloading them directly from Microsoft's Web site. Despite some tweaks to its policy, however, the company continues to make it difficult for users of pirated versions of its operating system to patch reliably.

Editor's note: The column has been corrected with an author's note.

A significant issue is when Microsoft periodically slips Windows Genuine Advantage (WGA) into the stream of security updates. This type of subversive act has a very negative effect, likely convincing many users to forego updating rather than find their machine crippled. I can't find any substantiated numbers but Microsoft's WGA page mentions that millions of users per year purchase counterfeit CDs. Add to this those who download copies from the Internet, and I would say that the population of unvalidated XP users is very high.

The idea that withholding patches from computers is detrimental is not new and has been written about even in academic circles. The paper Windows of Vulnerabilities (pdf) describes hosts on the Internet as "[oscillating] between the hardened and vulnerable states during its lifetime." The paper shows that vulnerability is part of a computer's life cycle which fluxes around the release of vulnerabilities. The number of hosts vulnerable to a particular exploit may dwindle the longer a patch is available, but every minute that a host is susceptible increases the chance that a botnet may grow larger due to an infection.

Security expert Bruce Schneier noted that there are two ways to deal with this problem: Limit the number of people who know about the attack or reduce the number of systems that are vulnerable. The first method has been tried for years with little success. This leaves us with the option of reducing the number of vulnerable machines on the Internet. Or as one team of researchers noted (pdf), "a vulnerability dies when the number of systems it can exploit shrinks to insignificance."

In a recent study using data from an Aprox botnet -- an ideal group to research this subject because these machines have obviously been compromised -- Dennis Brown found that the top infected system profile is Windows XP with running Internet Explorer 6.0. These systems are obviously not patched regularly. However, no one can state unequivocally why, nor prove that they are pirated copies of Windows XP. While there is no doubt that there exist many pirated copies of XP on the Internet, the key question however is how much of these vulnerable systems are a result of Microsoft's stance on piracy.

The simple answer is that the current WGA policies from Microsoft significantly extend the lifetimes of vulnerabilities, sometimes indefinitely.

It's reasonable to assume that every time Microsoft attempts to slip WGA into the security stream of AutoUpdates, a certain percentage of users switch control to manual. They would likely feel that the integrity of the security stream has been violated and that each update must now be validated. AutoUpdate is already a slower method of obtaining updates -- compared to manual downloading -- and this situation creates an additional lag in time where future updates which come from AutoUpdates won't be applied until the user has finally gotten around to ensuring that the security patch won't disable their machine.

Creating mistrust in the security patch system seems to be one of the biggest blunders in maintaining the overall health of the Internet. Every lag created by Microsoft in patching one of it's systems increases the chance that a botnet grows and the Internet is assaulted with more spam, phishing and DDoS attacks.

For Microsoft, the solution should be to dial back its assault on piracy. First, allow everyone to download security patches from the Microsoft Web site regardless of their license. If Microsoft takes the stance that, as a majority producer of operating systems on the Internet, it must ensure the security of them all, people may begin to trust systems like AutoUpdate again. Users of pirated copies would likely even ensure that AutoUpdate was turned on by default. Second, do not attempt to slip WGA into the AutoUpdate stream ever again. Nothing will destroy the integrity of the AutoUpdate system like attempting to trick users into installing this application.

The solution I propose will not eliminate botnets. It won't even guarantee that everyone will remain patched, but it will go a long way towards minimizing the number of vulnerable machines.

Whether Microsoft likes it or not, they are responsible for all the machines which use their operating system. The significant number of pirated copies online affects everyone when they are attacked and infected. They contribute to increased botnet growth, which in turn means more spam, more fraud, and more DoS attacks.

Attempting to maximize profits from licensing is completely acceptable, but not when it endangers everyone else on the Internet.

Correction: After this column was published, the author was asked to check into reader comments stating that Microsoft no longer requires a Windows Genuine Advantage (WGA) check for manual downloads of patches. While AutoUpdate requires WGA to operate, users can download and install manual updates without needing their system to pass a WGA check.

The columnist Oliver Day states:

The policy changed silently and, while this was still an error on my part for not verifying the fact before publication, it is also illustrative of the transparency issue. The Web-based AutoUpdate site still requires WGA to operate and the column still stands based on this fact. Microsoft should fully support the dissemination of security patches regardless of license.

Oliver Day is a researcher at the Berkman Center for Internet and Society where he is focused on the StopBadware project. He was formerly a security consultant at @stake and eEye Digital Security. He has also been a staunch advocate of the disclosure process and providing shielding for security researchers.
    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus