A disconnect in Redmond
Ed Bott, a best-selling author who has written extensively on the Microsoft Windows platform, said the hemming-and-hawing from Redmond represents a disconnect between the Windows Media team and the MSRC (Microsoft Security Research Center). "First, they issued the patch for WMP10 but they did nothing to publicize it. They buried one question on a FAQ page a full week after the new version was released and only after we started making noises," Bott said in an interview with eWEEK.com."When youre dealing with the MSRC, theres a fairly high degree of transparency in acknowledging [a problem] and releasing a fix." "This would have been a non-issue if they had dealt with it in an upfront manner three months ago," Bott said, adding that it was unacceptable for Microsoft to take three months to provide protection for a large user base. "The last thing you want to do is clean up a mess after it occurs. Any vector for the distribution or spyware should be taken seriously," he said, pointing out that Microsoft has already outlined plans to enter the anti-spyware software market. Eric Howes, an anti-spyware activist who provides consulting services for Sunbelt Software, echoed Botts thoughts. "Since January, Microsoft couldnt get its act together. Throughout this episode, they couldnt even put out a correct story about whats going on and what theyll do to correct it." Howes said it was always optimistic to expect Microsoft to provide comprehensive fixes within 30 days but said it was "inexcusable" to take three months to provide the necessary protection. "We know these [rigged] files are still being distributed. This is an installation vector that is ripe for abuse, and the spyware writers vendors have figured that out. Its still a very serious problem," said Howes. Anti-spyware researcher Ben Edelman said Microsoft should be commended for agreeing to provide a WMP9 patch. "Microsoft doesnt always "back-patch" its older products, and it wouldnt have been unprecedented for them to decline to do so here. But having said theyd provide a patch, it does seem like they need to go forward with doing it. The delay has certainly been striking," Edelman said. "I think its commendable that Microsoft agreed to provide a WMP9 patchimportant given the serious deception trickery that the current WMP9 allows, but honestly not something I was expecting," Edelman added. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
"The way they handled this has been baffling. What strikes me as odd is that the Windows Media division seems to have a different philosophy toward security than other divisions at Microsoft," Bott said.