Why does Microsoft push unpatched software via Windows Update?

It is, for a change, a very good question from CNet. If you know that security vulnerabilities exist in your software, and you’ve already patched those vulnerabilities, and you have a well-documented process for slipstreaming patches into existing installs, and you have an automatic update process

… why in the hell would you have that automated update service push the unpatched software rather than fully patched versions?

The short time between install and patch isn’t a good enough reason. Even if Microsoft automatically forced a re-run of Windows Update after each update session, as Mac OS X does, history shows that it doesn’t take long for unpatched, vulnerable software to be exploited. There is relatively little cost to Microsoft to prepare fully patched downloads, and the payback is huge risk avoidance. Fix it, already, guys.

Google opens the Cloud

Google App Engine appears to be Google’s answer to Amazon’s web services—a simple, highly scalable development and deployment platform for web apps that need to scale. It’s an interesting offering that takes a slightly different tack from Amazon, with the requirement to build an app as a fully integrated stack (not to mention, the application needs to be in Python, at least for the first iteration). But I like it nonetheless, especially at the entry pricing: as Dave Winer pointed out in a prescient piece last week, web services should be free at the low-bandwidth end of things; it’s a great way to build an ecosystem. Having one player in the cloud business is an experiment. Two makes it competitive, and that means that the offerings for developers will only get better and better.

It begs the question, of course, of when Redmond will wake up and realize that the last remnants of its Old Republic are being swept away.

Congrats to Google product manager and Sloanie Tom Stocky, who seems to be at the center of a lot of good things from Google these days.