It seems that Microsoft have released (or, were planning to, I’m on Linux so no way to check this) their patch to the .WMF exploit which has been in the news lately. I don’t know much about this, since it generally doesn’t concern me what Microsoft do with their buggy software, but I thought it was important enough that I should post about it here, such that people running Windows can update as soon as possible. I am led to believe this patch is available through the standard Windows Update mechanism.
Microsoft were originally planning on releasing this patch on Tuesday January 10th, 2006. This is an example of what Microsoft do best, postponing security updates for no good reason. From what I hear, this has been known about for at least 3 months, and probably longer. If a Linux kernel or major application had a similar security issue, this would be fixed in a matter of days, with patches available and all source trees updated. Microsoft, knowing about this for months, are generous enough to release a patch around 4 days earlier than they originally planned.
Microsoft, I have news for you. Security patches are not major PR events. They are not product launches, they do not need to be scheduled and have a big welcome party, just patch your software as soon as you develop the patch (which should be as soon as the software vulnerability becomes known, that is known either by yourselves or known publically).
Don’t wait until this becomes a big media issue; I know there is the “any press is good press” philosophy associated with some large companies, but it really isn’t. The better stories would be the word-of-mouth of those “in the know” about computer security saying “Hey, Microsoft release patches on time. Windows is a stable, secure platform to work on”. Now, everyone “in the know” is running round telling people that Microsoft shouldn’t have waited so long. That is not good press, that is a bad reputation.
For everyone else reading this, I urge you to pressure Microsoft as much as possible into improving their security. If they don’t, there is a simple way you can get the message across to them – stop buying their software. If enough people stop buying, they’ll realise that there is a problem and they might actually do something about it (probably not; they’re Microsoft, they don’t care).
I feel I should note that this article is opinion, mostly. Not everyone sees Microsoft in the same light, such people are what I’d call misguided!