Shostack + Friends Blog Archive


Kudos to Microsoft, Brick-brats to Apple

MS05-038 and MS05-052 contain a number of defense-in-depth changes to the overall functionality of Internet Explorer. These changes were done mostly for security reasons, removing potentionally unsafe functionality and making changes to how Internet Explorer handles ActiveX controls.

As a result of these changes that we made for security sake, for a limited amount of customers some pages may not load as expected. We’ve published sone guidance on this further detailing the changes and how customers can resolve this if they are experiencing problems. We also updated the bulletins to make sure people have the right references to roll back the changes if they need to go back to the less secure state.

So writes Stephen Toulouse in the Microsoft Security Response Center blog. It’s really hard to make these sorts of choices, and I think that Microsoft deserves notice for making them, and making them in (what I think is) the right way.

Looking in from the outside, it’s clear that the “app compat” issue weighs heavy in decision making. Microsoft has been listening to their customers, who, after years of investing in the Microsoft stack, don’t want it to break. You know it gets lots of attention when they shorten those words — for example, this presentation by Tony Chor of IE (4.8mb ppt). But at times, app compat is going to have to break for security reasons.

When you do break app compat, that’s no reason to make consumers pay. That’s exactly what Apple is doing with the slew of high-priority Quicktime fixes that came out last week: They’re not producing a Quicktime 6 fix. Now, if you paid for Quicktime Pro, you have a choice. You can either pay again, or accept that random Quicktime video can execute arbitrary code. Given that Apple’s browser, Safari, comes with plugins enabled, and that those plugins include Quicktime, your browsing the web with Apple’s default settings can lead to a compromise. Apple’s fix? Pay us $20, again. I think that’s the wrong way to treat customers.

Actually, to be completely fair, its unclear if these issues affect Quicktime 6 or not. Apple’s Software Update is suggesting an update. The complete message I’m shown is:

QuickTime 7.0.3 delivers several important bug fixes, primarily in the areas of streaming and H.264 video. QuickTime 7 Pro users also gain the ability to create video and audio files that can be played back on compatible iPods. This update is highly recommended for all QuickTime 7 users.

Important Notice to QuickTime Pro Users
Installation of QuickTime 7 will disable the QuickTime Pro functionality in prior versions of QuickTime, such as QuickTime 5 or QuickTime 6. If you proceed with this installation, you must purchase a new QuickTime 7 Pro key to regain QuickTime Pro functionality. After installation, visit to purchase a QuickTime 7 Pro key.

Apple really should make this easier. Following reporting by Dawn Kawamoto, it seems that Secunia claims 6.x is vulnerable.

Brick-brat 1: No mention of security. Brick-brat 2: No comment about the widely deployed QT6, other than “We break license key compat.” brick-brat 3: Telling your customers they can either be insecure, pay up, or lose functionality. That’s the wrong point on the app-compat scale. If Microsoft were doing this, people would be foaming and sputtering.

One comment on "Kudos to Microsoft, Brick-brats to Apple"

  • Jen Z. says:

    Th actual word is “brickbat”, FYI… And Quicktime Pro is actually over $30 (or US$29.99 plus applicable tax, to be precise), so your point is even more cogent. Yeah, it sucks to pay again (since I already have paid FOUR times, for QT 5 Pro for OS 9, QT 5 Pro for OS X, AND QT 6 Pro for both Mac and Windows!), but it’s worth it for me. Each license I got a heck of a lot of use out of (a couple years’ worth, seems like). And hey, if you don’t care about being legit, run a crack or use someone else’s serial.

Comments are closed.