Linked by Thom Holwerda on Wed 4th Jan 2006 22:45 UTC
Windows The saga around the WMF flaw in Windows continues. "A cryptographically signed version of Microsoft's patch for the Windows Metafile vulnerability accidentally leaked onto the Internet late Tuesday, adding a new wrinkle to the company's round-the-clock efforts to stop the flow of malicious exploits. The MSRC (Microsoft Security Response Center) acknowledged that a slip-up caused 'a fast-track, pre-release version of the update' to be posted to a security community site and urged users to 'disregard' the premature update."
Thread beginning with comment 81884
To read all comments associated with this story, please click here.
Well done
by diegocg on Thu 5th Jan 2006 00:31 UTC
Member since:

Microsoft has the patch, still they don't release it because of the needed testing they have this weird rule of only releasing security fixes on tuesday)

I only can say: WELL DONE. When you've 95% of the computer market share you just can't take two weeks to release a critical fix that is already being exploited. Release it early even if it's buggy.

The patch breaks something? Well, who cares. Your system is broken because of a unpatched security bug anyway. Time has show that what is important is not the quality of the software, but how fast you can fix it. Just make the patch, test it slightly so it don't breaks the basic functions of the OS, release it to protect your users, do extensive testing, check if it breaks something, and if it breaks something release another security fix. While this metodology may look crazy, it sure has a lot more sense than having to wait until 10th January to get a fix and be exposed to be infected by Yet Another Worm.

Of course this won't work because of the stupid "if you release a fix to fix a fix your company is crap" mentality. It's amazing how companies don't matter releasing untested versions of software when there's a lot of pressure to release a product (Microsoft has eliminated a release candidate version from Vista because of the lack of time), still they will spend a full week to test and release a bug that is already being exploited and is already coded today.

Edited 2006-01-05 00:37

Reply Score: 5

RE: Well done
by Celerate on Thu 5th Jan 2006 05:51 in reply to "Well done"
Celerate Member since:

"Just make the patch, test it slightly so it don't breaks the basic functions of the OS, release it to protect your users"

As long as they make it optional. I can go a while without browsing untrusted sites in Windows (or I could just use Linux) and would rather that than having things break because of the patch. I'm sure sysadmins for big companies would really appreciate having the WMF hole patched at the expense of breaking other parts of the OS and having users complain to them all day, they may even get fired for fixing a problem most ignorant users were oblivious to at the expense of bringing up several other problems that those users aren't so oblivious to.

Early access for those who want it is fine, as long as the experimental patches are deselected by default and labeled as experimental on the Windows update site.

Reply Parent Score: 2