You can argue, as I did, that the mitigating factors were strong and it wasnt as serious an issue as some argued, but clearly the watershed event in getting past it was Microsofts prompt release of a patch last week.
"Prompt release of a patch"—theres a phrase you dont hear referring to Microsoft very often. How was it possible for Microsoft to release a patch in about a week? This is unusual for the company.
eEye has, as these things go, a long history of reporting severe vulnerabilities and getting credit when Microsoft finally discloses and fixes them. Youd think that Microsoft would take vulnerability reports from eEye seriously as a matter of course.
But these are the dates of the current list of vulnerabilities that have been reported to Microsoft:
- Oct. 17, 2005—Severity: High (Remote Code Execution)
- Oct. 11, 2005—Severity: Medium (Denial of Service)
- Aug. 1, 2005—Severity: High (Remote Code Execution)
- June 27, 2005—Severity: High (Remote Code Execution)
- May 5, 2005—Severity: High (Remote Code Execution)
Microsofts explanation for this staggering lead time has generally been about the necessity of testing patches thoroughly and the companys need to release simultaneously in 20-something languages.
Fair points all, as many other vendors and open-source efforts seem to view testing as something their users should be doing. But eight months? Before too long youll be able to test these patches with carbon-14 dating.
And the response to the WMF unmasks the insufficiency of the whole process. Of course, it didnt need this episode to be unmasked; Microsofts slow response was well-known in the past. But never has it responded so quickly to a zero-day attack.
If there is a certain amount of minimal overhead time built into the development and testing process for patches, clearly its not a large amount, and no larger than about a week. And not just any week: The WMF patch testing happened over a holiday weekend!