Skip navigation

US Government Gets Early Patch Access; VB 6.0 Users Up In Arms

This week, I tackle two Microsoft controversies: a new Microsoft policy to provide the US government with advance security patch notification and the end of support for Visual Basic (VB) 6.0, which is causing much fretting and angst in certain quarters. Let's dive in.

Microsoft Grants Early Patch Access to US Government
Microsoft has revealed that it will provide the US Department of Homeland Security (DHS), the US Air Force (USAF), and similar organizations early access to software security patches that it will later release publicly. Security experts immediately assailed the move out of fears that information about the patches--and thus, the flaws--could find its way into the hands of malicious hackers.

Here's the problem: If Microsoft provides detailed information about a Windows security flaw far enough in advance of the public fix, malicious hackers could use that information to construct malicious software (malware) that exploits the vulnerability. But Microsoft is providing only the actual patches, not detailed information. But hackers are already reverse engineering patches the day the patches are released to discover which software processes the patches change, and thus, in many cases, gather information about the flaw they fix. However, that's generally difficult and time-intensive work.

Although the company acknowledges there is some risk, Microsoft tries to counter these fears by noting that it will disseminate patches only to trusted government agencies. However, reports last week noted that the DHS would provide other government agencies with access to the Microsoft patches as needed, heightening fears that the patches could be used for illicit purposes: The patches will likely be provided to a wide range of people, any one of whom could spread the code to hackers.

Is it a risk worth worrying about? According to the USAF, it has successfully tested early access to Microsoft security patches for a year and is officially rolling out the program after much success. Because of the classified nature of much of that agency's work, the USAF believes that it's imperative that it has early access to patches for security reasons. And the USAF acts as one of Microsoft's external testing test beds. Patches provided to the organization later show up publicly through Microsoft's scheduled monthly security patch release. The program has been so successful that other government agencies want to be involved. In some ways, this desire speaks highly of the quality of Microsoft patches, which were once the source of distrust and even ridicule in certain quarters. You know who you are.

VB 6.0 Users Decry End of Support
A group of VB developers, many of whom were elected into Microsoft's Most Valuable Professional (MVP) program, have signed a petition asking the software giant to continue support for VB 6.0. This software development environment predates the Microsoft .NET initiative, which moved the company's developer tools to object-oriented managed code, significantly changing the VB language syntax. For many users of earlier VB versions, the change was too dramatic, and they've stuck with VB 6.0 even as Microsoft gets ready to ship the third Visual Basic .NET release later this year.

Here's the problem: The 7-year-old VB 6.0 release is comparatively ancient technology that's set to enter extended support on April 1, 2005, effectively ending free incident support and critical updates for the product. VB 6.0 supporters want to see Microsoft continue to support VB 6.0 (though it has already extended the standard support period for the product once) and, incredibly, to release new VB versions that use the old COM-based code that VB 6.0 uses--not the .NET managed code style that Visual Basic .NET uses.

Yikes. The curious continued existence of Microsoft Visual FoxPro notwithstanding, Microsoft doesn't have a history of keeping ancient products on life support like that, especially when the company has, in fact, continually updated the programs with new versions. For comparison, imagine if a group of Windows 9x supporters rallied together and asked Microsoft to release a new version of that product now, despite the fact that the company had already migrated to the Windows NT code base years earlier. We're basically talking about the same thing. Except for one thing: VB 6.0 is 2 years older than the last Windows version based on DOS/Win9x. It's time to move on, people.

Full disclosure: I'm a VB guy from way back (in fact, I wrote books about VB 3.0, VB 4.0, and VB 6.0, but not, notably, about any of the .NET versions), so I feel the pain. But these VB 6.0 supporters need to understand that VB 6.0 is too limited to be relevant today and in the future. Maybe this is an opportunity for a third party to pick up the "Classic BASIC" syntax of VB (REAL Software's REALbasic--see the link below--is one inexpensive possibility). But asking Microsoft to fork product development years after the fact is a bit much, sorry.


TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.