The Microsoft Supply Chain Works Even Better Going Backwards

March 4, 2021

Do you remember the character KIR-mit. He once allegedly said:

Yeah, well, I’ve got a dream too, but it’s about singing and dancing and making people happy. That’s the kind of dream that gets better the more people you share it with.

I am not talking about Jim Henson’s memorable character. That frog spelled its name Kermit. This is KIR-mit, an evil doppelgänger from another universe called Redmonium.

Respect Kermit! (DevilArtemis Universe): respectthreads

This KIR-mit is described in “Microsoft Is Using Known Issue Rollback (KIR) to Fix Problems Caused by Windows 10 Updates.” I learned that KIR

enables Microsoft to rollback changes introduced by problematic patches rolled out through Windows Update. KIR only applies to non-security updates.

Does the method expand the attack service for bad actors? Will weird calls to senior citizens increase with offers to assist with KIR-mit modifications? Will questionable types provide links to download KIRs which are malware? Yes, yes, and yes.

The article points out:

Known Issue Rollback is an important Windows servicing improvement to support non-security bug fixes, enabling us to quickly revert a single, targeted fix to a previously released behavior if a critical regression is discovered.

KIR is something users have said they wanted. Plus Microsoft has had this capability for a long time. I recall reading that Microsoft had a method for verifying the “digital birth certificate” of software in order to identify and deal with the SolarWinds-type of supply chain hack. I point this out in my upcoming lecture for a law enforcement entity. Will my audience find the statement and link interesting? I have a hunch the cyber officers will perk up their ears. Even the JEDI fans will catch my drift.

Just regular users may become woozy from too much KIR in the system. Plus, enterprise users will be “in charge of things.” Wonderful. Users at home are one class of customers; enterprise users are another. In between, attack surface the size of the moon.

Several questions:

Why not improve the pre release quality checks?
Why not adopt the type of practices spelled out by In Toto and other business method purveyors?
Why not knock off the crazy featuritis and deliver stable software in a way that does not obfuscate, mask, and disguise what’s going on?

And the answers to these questions is, “The cloud is more secure.”

Got it. By the way a “kir” is a French cocktail. Some Microsoft customers may need a couple of these to celebrate Microsoft’s continuous improvement of its outstanding processes.

Don't mess with Kermit - Album on Imgur

As KIR-mit said, “It’s about making people happy.” That includes bad actors, malefactors, enemies of the US, criminals, and Microsoft professionals like Eric Vernon and Vatsan Madhava, the lucky explainers of KIR-mit’s latest adventure.

Stephen E Arnold, March 4, 2021

Written by Stephen E. Arnold · Filed Under Business process, Microsoft, News, software, Uncategorized

Comments

Comments are closed.

Search the site
Subscribe to Beyond Search
Feature archive
News archive

Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.