Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Patch WMF Exploit Early

Posted by CmdrTaco on from the well-i-guess-early-is-relative dept.

Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm ET, instead of Tuesday, as originally planned. Microsoft writes: "Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."

7 of 306 comments (clear)

  1. Reactive vs Proactive by biocute · · Score: 5, Insightful

    Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.

    It would have been nicer if they make patches available as soon as possible with or without strong customer sentiment.

    --
    Virtual Betting on Facebook for non-geeks.
    1. Re:Reactive vs Proactive by grcumb · · Score: 4, Insightful

      "If the impact is huge, testing of more obscure cases can be deferred somewhat. If the impact is small, more time can be taken."

      I'm with you so far....

      "So if there hadn't been any customer sentiment (i.e. no one cared), it would make no sense to rush the patch and risk breaking something."

      Err, that's a non-sequitur. Whether customers care or not has nothing to do with the cost/benefit analysis that decides the timing and scope of an initial patch. A software company should never rely on its customers to perform risk analysis. If it's serious (and the WMF flaw is egregiously so), then you find a way to protect your customers as quickly and effectively as you can. In some cases - though certainly not all - you can even accept shortcomings in the patch itself if significantly reduces the risk.

      The third-party patch, for example, causes issues with the Windows printing subsystem. People voiced suspicions that this might be the case right from the start, though confirmation only came through earlier today. To my mind, that was an acceptable risk. A server that can't perform some print tasks and won't show pretty preview icons is worth a heck of a lot more to me than one that's 0wned by some random script kiddy.

      And before some astroturfing twit spouts the simplistic, binary logic of 'MS is damned if they do and damned if they don't', I'd like to say from experience that deciding the timing of a security patch is a terribly difficult process. It requires the right amount of analytical skill, deep technical expertise, a healthy dose of horse sense and exactly the right measure of patience. Too much or too little of any of these can result in exactly the wrong kind of response.

      Patching is not about being a nice guy. It's not about what your customers think of you. There should be no marketing or sales angle in the creation or timing of a security patch. You determine the scope and severity of the threat, be as thorough as you can reasonably hope to be (and that's never as thorough as you'd like), and deliver it as soon as you reasonably can.

      I'm in complete agreement with this handler's diary from isc.sans.org concerning Microsoft's announcement that they would issue the patch at the regularly scheduled time. Given the severity of the flaw, it's unconscionable that they should leave their customers exposed for so long. The fact that they only decided to release the patch out of cycle in response to their users demonstrates that they're far more worried about their image than they are about their software. This does not bode well at all for them. Or for their customers, for that matter.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  2. Splendid... by Hymer · · Score: 4, Insightful

    ...only 10 days too late...
    ---
    tis is not a FP

  3. Re:8 Days to patch by Anonymous Coward · · Score: 5, Insightful

    ProTip : If a third party can patch it faster than you, without access to the original source code - you suck.

  4. Thank you, Big Brother by Gadren · · Score: 5, Insightful

    "It appeared that there had even been demonstrations to thank Big Brother for raising the chocolate ration to twenty grammes a week. And only yesterday, he reflected, it had been announced that the ration was to be reduced to twenty grammes a week. "

  5. Re:8 Days to patch by croddy · · Score: 5, Insightful
    1. Release patch 8 days late
    2. Describe it as an "early" release
    3. ???
    4. Profit!!!
  6. "testing ... completed earlier than anticipated" by antispam_ben · · Score: 4, Insightful

    Translation: "Our ass needed covering even earlier than anticipated."

    --
    Tag lost or not installed.