Mar 31 2004
It’s pretty much accepted as standard in the software industry that if you have a vulnerability in your product, you offer up a patch to your customers, past and present, for free. ISS doesn’t feel that rule should apply to them. Last week the Witty worm (Trend Micro)(Symantec) was released, targeting a vulnerability in BlackIce and other products from ISS. ISS had had a fix out for the vulnerability, but it was only available for customers who have current licenses, since it was not a patch, but an upgrade to the latest version of BlackIce. Customers who had let their licenses lapse were, and still are, out of luck.
This article from ZDNet UK highlights the issue. I purchased BlackIce for use at home two years ago on the advice of a co-worker. I was moderately happy with it, but when it came time to renew the license, I passed. For $40, BlackIce is a pretty good program, but for $20/year, I’m just don’t find the value to be there. I have a number of other protections on all of my systems, such as two firewalls between me and the Internet, antivirus software and several other freeware/shareware programs designed to protect my computers. BlackIce was redundant, but I like having multiple layers of security on my computers.
So I left BlackIce on the system, but didn’t upgrade it. I figured the basic functionality wasn’t going to change all that much, so I would get 90% of the protection without having to worry about a patch breaking the system, as so often happens. Now I find that rather than adding to my security, having BlackIce on my computer actually makes my computer more vulnerable to attack than ever, and there is nothing I can do, except dump BlackIce or pay ISS $20 to renew my license. Guess which one I’m going to do.
So what is the responsibility of software companies concerning their out of license customers? I think so. ISS is setting a dangerous precident, one which I’m sure Microsoft would love to follow; you, the customer must continue to pay for the product through licensing fees if you want to have patches for the product, despite the fact it was flawed when it shipped. Pressure needs to be applied to ISS concerning this issue; emails, letters, blog entries (;-)), press releases, whatever it takes to get them to change their mind. The product was broken when you sold it, you need to fix it for free, not expect me to pay for the patch.
Let me know your opinion on the matter.