Tuesday, January 03, 2006

Comments, Please

I really don't know how to take Microsoft's response(s) to the recent .WMF vulnerability flap. I'm soliciting comments from everyone on this.

While Microsoft readily acknowledged the existence of the vulnerability, they steadfastly clung to the position that user interaction was necessary to exploit them long after it was known that is not true.

Today, 3 January, they announced they have a patch completed, but will not release it until 10 January, which is their regularly scheduled "patch day". While I realize that they have to test any patch thoroughly, it seems to me they should be expediting this at any and all costs and release it sooner, if humanly possible.

After all; millions upon millions of PCs are at risk, here. The distribution of the exploits related to this vulnerability are widely spread. It's not just dodgy web sites. They're arriving in emails and have been slipped onto more reputable sites that have been compromised. In my opinion, Microsoft simply cannot continue to treat this casually and act as if users will be at fault because of their surfing habits.

What do you think?


  1. Anonymous7:23 PM

    I can only speak as a tech for a major corporation.IT Risk is aware of the vulnerability and as far as I have seen there are no plans to install the patch that is available. When the MS patch is out they will do a deployment ASAP after testing. I'd be interested to see what would happen should we experience a problem before then.

    As a home user so far I have unregistered the .dll but not gone any further.I'm not all that alarmed or concerned, should I encounter a problem I'd wipe and do a clean install if necessary.

  2. Huffie6:34 AM

    Unless something really hits the fan and multiple major companies are taken down by the WMF situation (before the MS patch gets issued), I have a hunch that MS will, as usual, get a free pass on this.

    Most of the public probably won't know anything odd was up, and their XP system will patch itself next week before anything bad happens to their computer. (Households with web zipping teenagers and "computer clueless" parents may fair worse.)

    MS is probably waiting for their regularly scheduled "patch day" for two reasons: (1) to fully test the patch, but also (2) releasing something earlier would get them "bad press".

    I have a feeling part of the hold-up is MS not wanting to see lead stories on the nightly news about an "emergency Windows patch". After all, MS has a lot of $$$$ invested in making the general public believe Windows XP is a "secure operating system" that will protect their family from all the nasties out there on the internet.


All comments are moderated.

Note: Only a member of this blog may post a comment.