It's time for Microsoft to supply ALL patches to All users

It's time for Microsoft to supply ALL patches to All users

Summary: It's time for Microsoft's policy of tying the availability of Windows Updates to Windows Genuine Advantage (WGA) validation to end.

SHARE:

It's time for Microsoft's policy of tying the availability of Windows Updates to Windows Genuine Advantage (WGA) validation to end.

Brian Livingston writing for Windows Secrets had the following to say:

"It's ridiculous to say that Microsoft provides all security updates to Windows users, whether or not they pass Windows Genuine Advantage (WGA) validation. No, Microsoft doesn't.

"First of all, a system that fails WGA is restricted in using Microsoft's update and download sites.

"WGA has a reputation for rating some PCs as unlicensed when in fact they're completely legitimate. For this reason, many people exit Windows Update at this point and turn off Automatic Updates (if it was enabled) rather than risk disabling their expensive computers."

Windows Update and WGA are interlinked. If you have a PC that doesn't validate as running a genuine copy of Windows (or you are uneasy about putting it through the validation process for whatever reason), then you are limited to receiving only those updates that are labeled as "Critical". While this still gives users access to the most important updates, it means that users miss out on updates classified as "Important" or "Moderate".

To make matters worse, back in 2006 someone at Microsoft decided to push an update for the WGA mechanism (KB905474) through the Windows Update mechanism and marked it as a "Critical" update. This mixing of genuine security updates and marketing propaganda was an enormous abuse of trust on Microsoft's part (Apple later pulled a similar stunt when it pushed Safari to Windows users though its software update mechanism) and shouldn't have been allowed to happen.

It's now time for Microsoft to disconnect WGA from all Windows related updates. Same goes from Office Genuine Advantage and updates for Microsoft Office. The current situation doesn't make good sense. I don't have a problem with Microsoft demanding that users wanting additional content (games, new apps, templates and so on) have to go through a validation process, but ALL updates should be available to ALL users, irrespective of whether users are running a genuine copy of Windows or not. Users who have unwittingly been sold a counterfeit copy of Windows shouldn't be penalized and have their security compromised. In fact, when it comes to security updates, even those who know they are running a pirated copy of Windows should get access to all updates. It's in everyone's best interests that as many machines as possible are patched.

Thoughts?

[UPDATE: This is from a Microsoft spokesperson:

1. We offer all security updates, service packs, and other critical reliability updates on Windows XP and Windows Vista even if the machine is non-genuine (these are ‘Important’ and ‘High Priority’ Updates). 2. Other individual recommended or optional updates may or may not be blocked on Windows Vista, at our discretion (i.e., not ALL ‘Recommended’ and ‘Optional’ updates are only delivered to Genuine systems). 3. All Optional Updates on Windows XP are disallowed since the WU and MU sites prevent access from non-genuine machines, and ‘Optional’ Updates can’t be found through Automatic Updates on the local computer.

While I accept that this is true, the problem is that updates are still hidden behind a WGA wall. For example, take the following from Microsoft's own description of WGA:

Upon your first visit to the Microsoft Download Center, Windows Update, or Microsoft Update sites, you receive a message requiring you to validate your copy of Windows.

Another example is from Microsoft's download page for Windows Defender:

There are significant risks to running non-genuine Windows. Only genuine Windows customers can receive product downloads, Windows updates and special offers. Windows Defender will validate that your copy of Windows is genuine before installation. Furthermore, Windows Defender will only remove Severe threats for machines that are not genuine. Low, Medium and High threats will be detected, but not removed unless your copy of Windows is genuine.

These are just two examples of the WGA wall that Microsoft puts between users and updates.]

Topics: Software, Microsoft, Operating Systems, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

446 comments
Log in or register to join the discussion
  • And everyone

    with a stolen car, that has faulty brakes, should take it to the Dealer and get the brakes repaired under warranty. Because, that's what is best for society, regardless of whether or not they STOLE it.
    LandonAB
    • re: And everyone ... would be better off ...

      <font color=#808080><em>"...car, that has <font color=#000000>faulty</font> brakes, should take it to the Dealer ...
      ...that's what is best for society,...</em></font>, that would decrease fatalities.
      ...
      <font color=#808080><em>"...regardless of whether or not <font color=#000000>they STOLE it</font>."</em></font> <em><a href="http://www.efc.ca/pages/law/cc/cc.334.html" target="_blank">Theft</a></em> is a law enforcement issue.


      ^o^
      <br>
      n0neXn0ne
    • Bad analogy

      This isn't a very good analogy.

      First off a stolen vehicle is most likely NOT stolen from the manufacture but rather an individual. With Windows robbers don't break into a persons house steal their copy of Windows and wipe the victims HDD.

      Secondly, once a patch is created the cost is sunk. People don't bring their computers to Microsoft to have a certified technician patch the system.

      Having said that I think it would be in Microsoft's best interest, PR wise, to continue to allow critical patches, and only critical patches to unvalidated systems. If someone has a legal copy of Windows and is getting WGA errors, as rare as it is, it doesn't take much effort to contact Microsoft for a remedy.

      I'm sure Microsoft knows this from experience but it is really bad PR when a vast number of Microsoft OSes become compromised and a lot of media attention is drawn to it.

      This latest Conficker ruckus is a good example of how well Microsoft has been at containing large threats. The Conficker threat has amounted to nothing more than a hill of beans.
      mikefarinha
      • re: ....

        <font color=#808080><em>"The Conficker threat has amounted to nothing more than a hill of beans."</em></font>

        Because it was version "c" it's still in beta like Win 7.
        Let's see what will happen with version "Z"

        Hence there is still a 250K bounty for the creators head

        ^o^
        <br>
        n0neXn0ne
        • Bounty

          Not the first case when there was a reward offered for information leading to the arrest of a virus writer. It is common practice.
          Erroneous
        • Don't be so selective when quoting me

          I said:

          [i]This latest Conficker ruckus is a good example of how well Microsoft has been at containing [b]large threats[/b]. The Conficker threat has amounted to nothing more than a hill of beans.[/i]

          No doubt that conficker was a nasty worm. Security is a cat-and-mouse game; it always will be. Had Microsoft been lax with their patches conficker could have been quite devastating. The fact of the matter is that Microsoft had the patch for the vulnerability on their servers before the worm was widespread. Users that keep their systems patched were rewarded with a conficker free system.

          It was because of Microsoft's efforts the 'scare' was much ado about nothing.
          mikefarinha
          • ...

            [i]Don't be so selective when quoting me[/i]

            In case you haven't noticed... that's the only way he/she posts anything.

            Take one snippet of text, change what he wants and throw in a "^o^".
            Badgered
          • Conficker

            I could be completely off base here, but i'm pretty sure that Microsoft had nothing to do with containing the Conficker worm. I recall reading a post on ZD describing how the April 1st date was only
            a) the day when conficker upped it's ante from a small number of domains to a large one,
            - and -
            b) largely ineffective thanks to security researchers, not Microsoft and their patching.

            In fact, there are many articles available that verify that the primary reason that the Conficker worm didn't do much was due to blocking of the sites it was trying to contact, not patches in the OS.

            Here's an excerpt from one for you: "Security companies monitoring the worm have been largely successful at blocking infected machines from communicating with whoever programmed it." - http://www.wgal.com/news/19054410/detail.html

            Notice that these articles never mention that the reason that the worm didn't do much is because the "previously infected computers were patched properly." No, it's quite clear that Microsoft is not responsible directly for containing this threat.

            Personally, i doubt we've seen the last of Conficker. April 1st sounds like it was supposed to be a feint, and that the real activation will be coming along later. But that's just me.
            /A\V/
          • Yeah, you're completely off base.

            [i]Microsoft is taking the Conficker worm pretty seriously. They have, for the first time, coordinated a group of industry representatives from security companies, consulting firms, and registrars to actively combat the outbreak. Microsoft is not limiting itself to technical solutions; they are offering a $250,000 reward for information that leads to the arrest of the worm?s authors.[/i]

            http://blogs.zdnet.com/security/?p=2572

            However my initial comment was about the patch that fixed the vunerability that Conficker exploited. Microsoft released the patch immediately due to the severity of the vunerability. The only computers to get infected were those not keept properly patched.
            mikefarinha
          • Well

            Then i stand corrected.

            The point of my statement remains valid, however - Microsoft's patching is not the reason that this has been contained and that Conficker is probably not done.

            Not to mention that, taken from the same article that you posted, Microsoft's alliance - the researchers from the OTHER security firms that are researching the worm - has about one major trick up their sleeve - registering thousands of domain names as soon as they realize that Conficker is trying to talk to said domain.

            This is NOT a solution, it's a desperation tactic. It shows clearly that they are desperate for a fix, and are scrambling to try to stay afloat. All it'll take is a quick twist in the worm's communication method, and bam, it's over.
            /A\V/
          • @deviros are you dense

            The fact still remains that it was Microsofts original patch that vastly reduced the number of infected machines from what it might have been. I can see that aparently you are a MS hater but even you should have enough sense to see that it was MS's efforts which originally reduced the severity of the threat overall.
            trundor1@...
          • Back to patching

            As far as Conficker is concerned I have to agree with everything you've said. But what you said is also a good base for the arguement that Micro$oft should release their patching a bit more than is currently done.

            Botnets, viruses and spyware are threats to everyone using the Internet, regardless of OS or the legitimacy of the copy of that OS. Any patch for any bug that fixes a vulnerability should be released to every computer running that OS, if only to protect the legitimate users from being affected by the illegitimate.

            That said, any patch that adds functionality or fixes a bug that is not a security flaw they have every right to hold behind their WGA wall. They just need to have free support available to fix WGA bugs and errors. Because they have the right to protect their intellectual property does not give them the right to leave any of us who use their software legally and honorably hung out to dry. Now or after they consider the software to have reached EOL.
            tech869
          • easy fix

            there is an easy way to fix the wga errors do occur an MS has things setup so its quite simple to get these errors corrected it just requires a minimal effort on your part in leting them know of the problem. So, dont be lazy just pick up the phone and call MS....DOH.
            trundor1@...
          • you are not comletely correct

            While the security firms did help to reduce the spread it is still due the patches from MS that far fewer machines where originally infected. Give credit where credit is due, in this instance MS did an excelent job.
            Now, unfortunately i have to agree with you that we haven't heard the last from the conflicker worm, but I hope that MS and the security firms will continue to do such a good job.
            Bravo to both MS and the various security firms involved.
            trundor1@...
          • I think you are about right on the money except that...

            ... conficker wasn't supposed to do anything, there is no real malicious payload, just [i]the potential[/i] to retrieve it. Conficker was a big hole in the wall, not an actual bank robbery. And the solution did come from outside of Microsoft.
            Didn't 60 minutes claim it was some kid hacker in Russia named Tempest?
            I know that the "a" version checked for a Ukrainian keyboard and aborted if it found it, and the "b" variant checked for a Ukrainian language pack. Not sure if the "c" variant did any sort of language check.
            914four
        • IT should be 500K

          Any idiot that sits around witing any program designed to hurt someone else be it end user or corporation has no life so they try to mess up everyone elses. I feel that he/she should be strung up and tortured to give him/her abetter perspective.
          trundor1@...
      • Say What?

        You said "First off a stolen vehicle is most likely NOT stolen from the manufacture but rather an individual."
        Are you saying it's okay to steal from a manufacturer?
        Care to explain why it's okay to steal from a company and not an individual?
        wcallahan@...
        • ....

          <font color=#808080>"Care to explain <strong><a href="http://talkback.zdnet.com/5208-12554-0.html?forumID=1&threadID=62797&messageID=1160208" target="_self">why</a></strong> it's okay to steal from a company and not an individual?"</font>

          <a href="http://talkback.zdnet.com/5208-12554-0.html?forumID=1&threadID=62797&messageID=1160221" target="_self">also see</a>


          ^o^
          <br>
          n0neXn0ne
        • Car vs. Software is lousy analogy

          This analogy stinks from start to finish. The two are so completely different as to make any point worthless and debatable.
          tech869
        • LOL i guess it's because they can afford it

          but few people bother thinking ahead to the fact that these costs get passed right on to us as consumers.
          trundor1@...