Security and MS are basically incompatible subjects. This MS initiative brings to mind two thoughts.
1. The Air Force uses crappy Windows machines? Jesus, I hope they move to Unix/Linux/Mac soon, because anything MS is ready and willing to be hacked by script-kiddies, not to mention other assorted bad guys.
2. Knowledge of these patches would be worth a lot to these same assorted bad guys - MS is basically delaying fixing problems for the masses to concentrate on a handful of their largest clients. Theoretically, if the vulnerability was made public, millions of computers could get hacked. Just like what really happens anyway....
WSJ.com - Microsoft Gives Some Customers Early Bug Fixes:
The ability to get patches up to a month before they are widely released is “a big jump start for us,” says Kenneth Heitkamp, assistant chief information officer for the Air Force. Previously, it took the Air Force an average of 89 days to insure it had properly installed patches across its more than 700,000 desktop and laptop computers; Mr. Heitkamp says the long-term goal under the new program is to reduce patch installation to as little as 10 minutes after the fix is released publicly.
Microsoft says it has taken precautions to prevent news of the patches in the advance-release program from leaking. For example, these patches are distributed only through a “private channel,” which the company declines to describe, and no information is given about the underlying vulnerabilities being fixed or even the area of code being updated.
The extraordinary security measures are evidence of the risks involved in providing differential access about flaws that in some cases could allow hackers to take control of computer systems. If information about a new vulnerability leaks before a patch is generally available, unpatched customers could be at even greater risk of attacks by virus-writers or malicious hackers.
“If somebody gives the early patches to the bad guys before the bulk of the good guys get them, that could help the bad guys reverse-engineer their exploits,” says John Pescatore, vice president for Internet security at Gartner Inc., a technology consulting firm.
