On Mon, 25 Aug 2003 08:35:43 CDT, Jack Bates <jbates@brightok.net> said:
Which is why Microsoft should issue a software equivelant of a recall. Systems shouldn't be sold vulnerable without at least a patch CD.
The problem is that you need to look at the sum of (lead time) + (time patch CD spent on shelf). Given a lead time of 4-6 weeks, and sitting on the shelf for 2-3 weeks... and suddenly you're looking at a 2 month old patch CD. Now take a look at the last few year's Microsoft advisories, and ask yourself: What percent of the time was the *last* remote-exploitable major hole more than 2 months old? And getting the lead time down to 4-6 weeks would be a challenge - remember you have to *ship* the re-mastered patch CD to every retailer and get it on the shelves. That's going to hit your bottom line. And keep in mind that Microsoft doesn't have to answer to its customers, it has to answer to its shareholders. As long as security problems don't affect it's bottom line, we're not going to see any change at all.