Just when we think Microsoft finally understands the importance of security, we get this WMF fiasco. Here was a situation with all the makings of a catastrophe: a zero-day attack based on a long-standing design flaw, discovered at a time when everyone’s on vacation, exploited using something as innocuous as a picture on a Web site.
Microsoft’s response? A crash holiday effort that produced a working, effective patch within days. Followed by a decision to not release the fix until the next monthly patch dump, and a public announcement of that decision so that every bad guy could declare open season on Windows PCs until Jan. 10. Followed, at last, by a decision to release the patch ahead of schedule after all.
That, finally, was the right decision. But why did Microsoft’s management strain so mightily in the wrong direction before doing the right thing? Microsoft programmers did their job. We know that because Microsoft’s WMF patch showed up briefly on a security Web site a week before its scheduled release (“inadvertently,” Microsoft said). Security gurus who examined it said it worked and didn’t conflict with a non-Microsoft patch that was already available.
But Microsoft didn’t release its patch then. Why not? The official answer: It wasn’t thoroughly tested and available in all languages and for all versions of Windows. The scuttlebutt: Microsoft bigwigs didn’t want “Microsoft Issues Emergency Fix” headlines and viewed the WMF threat as overblown — although, fortunately, someone in Redmond thought it was dangerous enough to build an emergency fix during the holiday break.
Let’s be clear about this: Microsoft was right to reverse course. Those bigwigs who wanted to hold the patch were right to listen to customers and release it ahead of schedule. Yeah, the flip-flop looks embarrassing, and they’ll take some flak for that. But they deserve thanks, not grief.
Getting that patch out the door four days early is going to make a difference. We’re all better off with the right decision than with a foolish consistency. But, that said, why the heck did they get it so wrong in the first place?
They had options. They could have released a patch early and warned customers that it wasn’t fully tested. They could have even called it a beta and asked customers for feedback, since no IT shop was going to put it into production without testing it.
Instead, amid growing concerns from security experts and hundreds of new WMF exploits and tools for bad guys, Microsoft kept saying customers should just tweak the Windows registry and wait for the next patch cycle.
Microsoft’s decision-makers apparently got two things wrong. First, they underestimated the seriousness of the WMF threat. And second, they assumed that their estimate was the one that mattered.
They were wrong. Security decisions belong to IT shops. That’s where the buck stops. That’s where risk can be assessed. To patch or not, when to patch, what to patch…corporate IT has to make those choices.
Microsoft’s role is to support those decisions, not preempt them. Holding up a fix because it’s inconvenient or embarrassing or seems low-priority isn’t the way to do it. Responding as fast as possible is the way to go.
This time, in the end, Microsoft listened to customers, delivered the goods and did the right thing. Eventually.
Almost exactly four years ago, Bill Gates wrote his “Trustworthy Computing” memo telling Microsoft employees to treat security as a top priority. Since then, we’ve been told, Microsoft has made great strides in improving its products’ security. And it’s clear that Microsoft developers that they understand what’s needed. But it’s just as clear that when it comes to figuring out security, Microsoft’s management still has a long way to go.
— Hayes, Computerworld (U.S.)’s senior news columnist, has covered IT for more than 20 years. He is at firstname.lastname@example.org.