Robert McLaws: Windows Edition

Blogging about Windows since before Vista became a bad word

Time for Microsoft to Change Its Patch Policy?

A very interesting post on the Google Online Security Blog analyzes which web servers are responsible for the world's malware.

Microsoft IIS 6 tied with Apache at 49% for compromised servers, even though Apache has a 40% lead in deployments. Apache makes up at least 50% of the malware servers in every country, save for Asia (China and S. Korea). The reason? Google says it's because of the high rate of piracy in Asia, and Microsoft's policy of not patching pirated systems.

Distribution of web server software by country.

Web server distribution by country Malicious web server distribution by country  

The figure on the left shows the distribution of all Apache, IIS, and nginx webservers by country. Apache has the largest share, even though there is noticeable variation between countries. The figure on the right shows the distribution, by country, of webserver software of servers either distributing malware or hosting browser exploits. It is very interesting to see that in China and South Korea, a malicious server is much more likely to be running IIS than Apache.

We suspect that the causes for IIS featuring more prominently in these countries could be due to a combination of factors: first, automatic updates have not been enabled due to software piracy (piracy statistics from NationMaster, and BSA), and second, some security patches are not available for pirated copies of Microsoft operating systems. For instance the patch for a commonly seen ADODB.Stream exploit is not available to pirated copies of Windows operating systems.

Is it time for a change? Based on this information, I agree with Google. I think the evidence is pretty clear here that Microsoft's patching policy hurts legitimate customers much more than it does pirates. As much as I support technologies that reduce piracy (so that maybe Microsoft can lower prices), I can't support this policy if it puts my family's computers at risk. Pirated copies of Windows should be allowed to connect to Windows Update for Critical updates, without fear of retribution from Microsoft. That means they should be able to get updates without worrying that WGA is going to shut down their system.

Microsoft has many ways to fight piracy. Punishing paying customers by putting them at risk should not be one of them.

UPDATE: The WGA team contacted me to let me know that the policy I quoted was from July of 2005 and is out of date. Microsoft's policy is, in fact, to allow for critical patches to be downloaded via Automatic Updates, regardless of a machine's license state. Since that is the case, I would assume that the pirates have shut AU off on these machines so they don't report back to Microsoft. Can't fault Microsoft for that.



  • Tim said:

    As far as I can see this just doesn't stack up and is classic FUD. Microsoft allows access to  critical security patches for all products pirated or not...

    Other than that you can't really expect a company to proactively support stolen sotware surely?

    June 6, 2007 7:51 AM
  • Hjortholm said:

    ..... so you think users using pirated software deserves updates - beats me!

    June 6, 2007 8:36 AM
  • Perhaps the focus is on the wrong thing. Instead of making sure pirated software is patched, double the efforts and make sure the purchased software is protected.

    You could eliminate a ton of the issues.

    June 6, 2007 10:21 AM
  • diane wilson said:

    The numbers don't break down by release, either. IIS4 had a rich reputation for security issues, and is probably well beyond support dates. How many of those Chinese and Korean servers are running anything like a current release of IIS? Probably not many.

    Also, even if security updates are supported, the systems have to be configured to get and install security updates. Again, bet that they aren't.

    June 6, 2007 1:22 PM
  • tim said:

    this says nothing about the server administrators intention -- i'm sure most malware/warez servers aren't unknown -- to me this is FUD and doesn't assume that these distribution points aren't intentional...which most are.  gee i wonder what servers show up where all the good stuff is distributed (warez servers on IRC/FTP)

    June 6, 2007 4:09 PM
  • Where is your Malware coming from? Interesting post at Google Security regarding Web Server Software and Malware

    June 7, 2007 1:45 AM
  • June 7, 2007 2:07 AM
  • djano said:

    "As much as I support technologies that reduce piracy (so that maybe Microsoft can lower prices), I can't support this policy if it puts my family's computers at risk."

    Ah Ah Ah! How funny! Do you really think Microsoft would reduce its prices if piracy reduces?

    Anyway, I am for technologies that reduce piracy as long as it does not cause any problem to legitimate users.

    Otherwise, switch to something that does not not have any piracy problems ;)

    June 7, 2007 7:10 AM
  • June 11, 2007 6:22 PM
  • July 29, 2007 9:59 AM