Time for Microsoft to Change Its Patch Policy?

Don't hold your breath, Dude.

A very interesting post on the Google Online Security Blog analyzes which web servers are responsible for the world's malware.

Microsoft IIS 6 tied with Apache at 49% for compromised servers, even though Apache has a 40% lead in deployments. Apache makes up at least 50% of the malware servers in every country, save for Asia (China and S. Korea). The reason? Google says it's because of the high rate of piracy in Asia, and Microsoft's policy of not patching pirated systems.

We suspect that the causes for IIS featuring more prominently in China and South Korea could be due to a combination of factors: first, automatic updates have not been enabled due to software piracy (piracy statistics from NationMaster, and BSA), and second, some security patches are not available for pirated copies of Microsoft operating systems. For instance the patch for a commonly seen ADODB.Stream exploit is not available to pirated copies of Windows operating systems.

Is it time for a change? Based on this information, I agree with Google. I think the evidence is pretty clear here that Microsoft's patching policy hurts legitimate customers much more than it does pirates. As much as I support technologies that reduce piracy (so that maybe Microsoft can lower prices), I can't support this policy if it puts my family's computers at risk. Pirated copies of Windows should be allowed to connect to Windows Update for Critical updates, without fear of retribution from Microsoft. That means they should be able to get updates without worrying that WGA is going to shut down their system.

Microsoft has many ways to fight piracy. Punishing paying customers by putting them at risk should not be one of them.

http://www.windows-now.com/blogs/robert/archive/2007/06/05/
time-for-microsoft-to-change-its-patch-policy.aspx