September 19, 2020

Microsoft: No Security Updates for Infringers

Microsoft, reversing a previous decision, says it will not provide security updates to unlicensed users of Windows XP. Microsoft is obviously entitled to do this if it wants, since it has no obligation to provide product support to people who didn’t buy the product in the first place. A more interesting question is whether this was the best decision from the standpoint of Microsoft and its existing customers. The answer is far from obvious.

Before I go further, let me make two assumptions clear. First, I’m assuming Microsoft has a reliable way to tell which copies of Windows are legitimate, so that they never deny updates mistakenly to legitimate customers. Second, I’m assuming Microsoft doesn’t care about the welfare of infringers and feels no obligation at all to help them.

Helping infringers could easily hurt Microsoft’s business, if doing so makes infringement a more attractive option. If patches are one of the benefits of buying the product, then people are more likely to buy; but if they can get patches even without buying, some will choose to infringe, thereby costing Microsoft sales.

On the other hand, if there is a sizable population of unpatched infringing copies out there, this hurts Microsoft’s legitimate customers, because an infringing customer might infect a legitimate customer. A large reservoir of unpatched (infringing) machines will aggravate an already serious malware problem, by making Windows an even more attractive target to malware authors, and by speeding the spread of new malware.

But wait, it gets even more complicated. If infringing copies are susceptible to existing malware, then some of the bad guys will be satisfied to reuse old malware, since there is still a population of (infringing) machines it can attack. But if infringing copies are patched, then the bad guys may create more new malware which is not stopped by patches; and this new malware will affect legitimate and infringing copies alike. So refusing to update infringing copies may leave the infringers as decoys who draw fire away from legitimate customers.

There are even more factors in play, but I’ve probably written too much about this already. The effect of all this on Microsoft’s reputation is particularly interesting. Ultimately, I have no idea whether Microsoft made the right choice. And I doubt that Microsoft knows either.


  1. Internet Public Health and the Supercomputer of Evil

    Ed Felton thinks that it’s not obvious if Microsoft did or didn’t make the right decision when it recently announced that unlicenced copies of Window’s won’t get security updates. I, on the otherhand, think it’s reprehensible. Microsoft has made a bus…

  2. Here’s one permutation you may not have thought of. A few years ago I bought a Dell computer. Dell does not install “regular” MS Windows on their machines, instead they install a Dell version–and the product keys they supply only work with their version; they don’t work with a regular MS version.

    The power outage throughout the North East last August killed my home computer (Scandisk was running when the power went out and I’m assuming it was working on the system files since the machine wasn’t recoverable). When I went to reinstall the OS, the original Dell CD containing their version of Windows XP wouldn’t install (damaged or corrupted disk?) so I called Dell support for a new disk. After two hours of arguing, they ended by telling me to go to CompUSA and buy a new operating system since they wouldn’t replace the disk. The Dell computer was 19 months old and under warranty.

    I, of course, wasn’t going to buy the OS twice, so I downloaded a warez copy with a bootleg key and reinstalled the OS. So now, I’m technically running a bootleg copy of XP but I also “own” a legal copy that I’m unable to use because the vendor I bought the computer from won’t supply a copy of their own customized version.

    Personally, I’m not too concerned about Microsoft’s updates–there are quite a few ways to get them. But, if they aren’t careful all they’re going to do is create a lot more animosity by restricting access. I’ve already vowed to never buy another Dell computer. Not because they failed to live up to their warranty (which actually is reason enough), but because they didn’t provide me with a “real” copy of XP with a “real” XP product key. Had they done this, it would have been real easy to borrow a CD and reinstall the OS using my “legal” key.

  3. This creates one additional attractive target for malware: the licensing/registration information. Several virusus and worms already attack anti-virus installations. Now they can improve drone availability by corrupting registration data. I hope that patch denials are not silent.

  4. Florian Weimer says:

    All this discussion is going to lead to one thing: people who believe they are infringers won’t apply patches. And it’s not just Windows, but Office, games etc. Quite a few users fear that Microsoft might spy on them and search their computers for illegally copied software, and that Microsoft only can do this if the users instruct their computers to run Windows Update.

  5. I don’t understand one of your arguments:

    “On the other hand, if there is a sizable population of unpatched infringing copies out there, this hurts Microsoft’s legitimate customers, because an infringing customer might infect a legitimate customer. A large reservoir of unpatched (infringing) machines will aggravate an already serious malware problem, by making Windows an even more attractive target to malware authors, and by speeding the spread of new malware.”

    But this won’t hurt legitimate users if they have patched, right? They will be immune to the infections from the pirate machines. It will only hurt unpatched legitimate users.

    So the question is, how much does this additional pool of unpatched machines hurt legitimate but unpatched users. My feeling is that being unpatched is extremely unsafe in either case (whether the additional unpatched machines exist or not), hence Microsoft should not make a decision on the basis of what is best to protect its unpatched legitimate users. In truth, Microsoft cannot effectively protect them. Hence this consideration doesn’t carry much weight, and the negative impact of unpatched pirate copies is not significant.

  6. Mark: I don’t know whether what you did was legal. But if it was, then your experience teaches us that my assumption, that Microsoft can reliably tell legal copies from illegal ones, may not be very good. And if that assumption breaks down, then things get much more complicated.

    Liudvikas: Good point. It this happened, it would also undermine the assumption that Microsoft can tell legal copies from illgal ones.

    Florian: Another good point. None of this matters if infringers refuse updates.

    Cypherpunk: You’re right that this only affects customers who haven’t patched. That’s what I had in mind but I should have said so explicitly.

    I agree that people should patch their systems, but many users fail to stay up to date on patches. I think Microsoft should be trying to protect those people too. The best way to protect them is to convince them somehow to start patching; but if they won’t patch, the next best way may be to offer patches to infringers.

  7. Chris Tunnell says:

    Florian: Don’t you already trust Microsoft to be “good” when you initially install Windows?

  8. In response to Cypherpunk:

    A population of unpatched infringers could still be useful to launch attacks against patched customers. The unpatched population could be used to set up a botnet to launch denial-of-service or other attacks that don’t rely on the targets having the same vulnerabilities as the botnet machines.

    Of course, this is a risk for all users on the network, not just Microsoft customers specifically.

  9. Ed: I’m sure that what I did is technically illegal, which is why I didn’t (haven’t) included an email address. Since I can easily prove that I’ve purchased a right to the software I doubt MS would prosecute, but I see no reason to tempt fate.

    As to the patches, I turned on Automatic Update when I installed the warez version and it regularly goes and gets the updates and asks me whether or not to install them–just like my legal version at work. In fact when I first installed the warez version at home I paid attention to what it wanted to update and what my work machine wanted to update and they were identical. So, even if MS can tell the difference, it hasn’t affected what updates I get.

    Also, FWIW, I don’t see how MS could know which versions are/are not “legal.” The product key is nothing more than the response to a challenge/response algorithm. Any “entry” that satisfied the mathematical requirements of the algorithm would unlock the product. The only way around this would be for MS to create a “lookup table” of keys they’ve issued, keys their “partners” have issued, etc. while simultaneously maintaining a table of the number of “instances” a given key could be used for. They would also have to implement some method of deregistering these instances since it is legal to move the software from one physical machine to another. This sounds like a paperwork nightmare.

    FWIW, the bootleg key I used at home was a volume license key–the instalation didn’t require “activation.” But I haven’t the faintest idea if the key was one issued by MS to one of their volume license customers and escaped into the wild or if it was one created by someone who wrote a program to satisfy the challenge/response algorithm, but without a lookup table they’re equivalent.


  10. Chris Tunnell says:

    Mark: They don’t have to match it up. They are trying to reduce the amount of illegitimate users able to update. Their requirement is that the users that have bought the software need to update. If we are Microsoft and are only bound by this requirement, how do we block illegitimate copies?

    We could do a web-search for keys that are “out in the open” and block these. This would block a good portion of illegitimate users since people either “google” for keys or they use a friends.


    Think of Microsoft as a bar-tender in a college town. It is hard to determine if an I.D. is fake, but it is easy to figure out who to reject when many people have the same name of “John Smith.”

  11. I think a lot of the problems that occur with viruses happen simply because people are not aware of what dangerous things they may be doing such as wantonly opening email attachments and visiting sites that likely will try to install malware. Personally, I never update my XP installation because the service packs are reputed to reduce system performance and I also worry about what kind of privacy standards Microsoft actually maintains.

    Occasionally I install Norton or some utlitity and scan my system and as of yet I have had no problems. That being said I do keep my data backed up and format my harddrives on a semi bi-monthly basis. This is something I think computer users should do regardless of whether they have patches. It forces users to backup their data and improve system performance.

    My two cents.

  12. For a long time, I refused to allow the update to run on my PC. There was an issue with SP1 for XP when it first came out, where it changed the license for your computer: it gave MS the right to download and install whatever they wanted to on your box, similarily for media player 9. There are probably other folks who are as crotchety as myself when it comes to who is permitted to install stuff on my personal property. The person who controls what software gets installed is the person who owns the PC. I don’t remember MS sending me a check to pay for my PC.

    Some of the unpatched PCs will continue to serve as a zombie army for distributed attacks and for the spam wars. MS might not care, its only their reputation. They made all the versions of windows up to win2k trivial to pirate, in order to quash any potential competition, now they are reaping the monopoly rents.

    In the end, I believe they are making a mistake by not letting everyone get the patch. Unless the intention is to deliberately release a defective product and only allow some of the paying customers to get the deliberate holes filled in. I am sure some lawyers can have fun with that.

  13. I’m sure there are lots of explanations for this, but the bottom line is that there is a cost transfer from Microsoft to me (even if I’m not a Microsoft customer!) if unlicensed Windows copies send me packets and eat my Internet bandwidth.

    Microsoft’s decision is explicitly costing me, and every other Internet user, money.

    But this move provides us with an opportunity to correct the situation. We can apply a Pigovian tax on Microsoft software to make up for this negative externality. Let’s use Microsoft’s own estimates for virus/worm damage, excerpted from Congressional testimony, as the additional social cost which needs to be collected from the tax on Microsoft software!

  14. This will likely drive Infringers to either purchase a legal copy of Windows, or search out alternative, and possibly free operating systems like Linux.

  15. Steve – On the contrary, it is the pirates who are running unlicensed Microsoft software who are costing you money. They are the ones whose machines running stolen software are sending out packet floods. If they hadn’t stolen the software they could get it updated and would be less vulnerable.

    Of course, ultimately it’s the people who wrote and distributed the viruses who are costing you money.

  16. Cypherpunk — I don’t agree. Microsoft produces the software with the vulnerabilities. If you could tax the pirates then you could get them to pay for the software. Microsoft will have no incentive to invent better ways to stop their products from harming others unless you ask them to pay the costs associated with using their software.

    We can use the tax revenue to pay a third party to make a stab at cleaning up Microsoft’s mess.

  17. Steve – Let me get this straight. You’re saying that Microsoft should be held responsible for the damages cause by people who steal its software? People for whom Microsoft is doing its best to keep them from getting it? That doesn’t sound right to me.

    And Microsoft has plenty of incentive to make its software work better even without your motivational suggestions. Why do you think they have reoriented themselves towards security over the past few years? Microsoft’s textbook on writing secure code is generally considered the standard in the field. It’s true that they still have a ways to go, simply because their burden of legacy code is orders of magnitude greater than that of most other companies. But by all accounts they are working very hard at making their products more secure, and holding them responsible for the actions of pirates would only be counterproductive.

  18. First, Microsoft doesn’t sell their software to anyone. They own it, regardless of who is using it. Their licensing technique is both a blessing and a curse.

    Second, Microsoft may have a great marketing program to convince you that they work towards better security. They may even make progress. It’s irrelevent. There are negative externalized costs associated with their product development and business. And, yes, I’m suggesting that it is time for us to let markets work on solving that problem instead of relying on the benevolance of the monopoly stakeholder.

  19. william says:

    the idea is that everyone will have to use ms’s *secure* operating system, ‘for a small fee’, of course… and that is going to be the only way to beat the virus writers from comandeering your machine for the distribution of god knows what you are to be held liable for.

    ms wants a monopoly on security