More on Microsoft's Patch Work


By Stephen H. Wildstrom Reader Scott Ladewig says: Whenever you run the Microsoft Messenger setup program, there's always a screen that asks if you want to make MSN the default home page. There isn't anything different about this version of the Messenger setup program from any other Messenger setup. So I don't think it is appropriate for you to say [in a previous column, 2/24/05, "Microsoft Slips a Plug in a Patch"] that they are using the need to patch to get people to switch their home page.

How can you call it browser hijacking when they show you exactly what they are doing and give you the option to change it? If they did it without telling you, sure, but they don't in this case, and it isn't buried in an end-user license agreement or other vague text.

A number of readers wrote to me to make a similar point regarding Microsoft's (MSFT) handling of a patch of a "critical" vulnerability in the MSN Messenger instant-messaging program. I took exception to part of the procedure in which, unless you were careful to uncheck an option, the upgrade would set your Internet Explorer home page to msn.com.

This home page option is routinely included in installations of MSN Messenger, whether first-time or of a new version. I feel strongly that software providers shouldn't change system settings by default unless they're essential to the proper functioning of the new program. But there's no question that software publishers are within their rights to make these offers, however aggressive. Indeed, Yahoo! (YHOO) and America Online, among others, do the same thing.

GOING SIMPLE. A security patch, however, is not the same as a new installation or a routine upgrade. Security experts recommend that patches should do nothing but fix the problem at hand, not introduce new features or improvements that aren't security-related. A Microsoft spokesperson says the current design of MSN Messenger required that a new version be downloaded rather than just a patch, as is common with other components. Microsoft is trying for simpler patches in the future, she says, "but unfortunately we aren't there yet."

But even if it needed to replace all of Messenger, Microsoft should have provided a clean installation that fixed the vulnerability, period. It would, frankly, be a lot easier for me to accept Microsoft's oft-repeated claim that security is the company's top priority if it would consistently stick to what is generally regarded as best practice in the security area. Wildstrom is Technology & You columnist for BusinessWeek. You can contact him at techandyou@businessweek.com


Coke's Big Fat Problem
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

 
blog comments powered by Disqus