Security super-guru Bruce Schneier has ridiculed Microsoft's controversial idea that software could be patched using 'worm-like' programs.
Last week, researchers at Microsoft's UK lab in Cambridge said they planned to present the idea of using patching that mimicked the 'self-replicating' behaviour of computer worms to the IEEE’s Infocom conference in April.
According to Microsoft, the advantage of such a design would be speed and resilience. In an age of zero-day attacks, such an idea could offer benefits.
Now BT Counterpane CTO Schneier has become the latest and best-known expert to point out the concept's flaws in no uncertain terms. "Patching other people's machines without annoying them is good; patching other people's machines without their consent is not," he said in his much-read blog.
"Viral propagation mechanisms are inherently bad, and giving them beneficial payloads doesn't make things better. A worm is no tool for any rational network administrator, regardless of intent."
For Schneier, the key issue is not whether such a program would be effective as a patching tool, but whether it would have the user's full consent. "A successful worm, on the other hand, runs without the consent of the user. It has a small amount of code, and once it starts to spread, it is self-propagating, and will keep going automatically until it's halted."
Microsoft's researchers have hit back at some of the criticism, claiming it misunderstands what is being proposed.
"My focus is fundamental research on improving the efficiency of data distribution of all types across networks, and isn't limited to certain scenarios or types of data but investigating underlying networking techniques," lead-researcher Milan Vojnovic was quoted as saying in a response to ZDNet UK.
It should also be pointed out that the worm-patching concept is just that - Microsoft has said that it has no plans to start using it in live products.
Microsoft made the paper outlining the idea available in July 2007, and this can be read in all its controversial glory [PDF] on the Microsoft website.