Microsoft Must Rethink Security Response

Opinion: Microsoft's response to the WMF exploit highlights the monolith's need to change its patching ways.

Its time for Microsoft to rethink its response to security holes.

The software vendors slow response to a serious vulnerability in WMF (Windows Metafile) recently wasnt good enough. Further, the company must speed the delivery of regular patches to customers.

Responding to the first broad publication of the WMF vulnerability on Dec. 27, Microsoft initially said it would not release its patch for the WMF hole until its next regularly scheduled security updates on Jan. 10. But under pressure from the press and security experts, Microsoft made the patch available ahead of schedule on Jan. 5. Whether anxious to avoid the stigma of being forced to take dramatic action or merely seeking to minimize its own costs of patch certification and support, Microsoft allowed the WMF vulnerability to linger, exposing its customers to the frighteningly fast infection rate of exploits using the hole.

With the emergence of zero-day exploits, logic and common sense dictate that a monthly patch release is just not effective to keep IT environments free of malicious exploits. The absence of a patch can be far worse than the additional overhead of one patch. Microsoft should have given IT managers the choice between the extra work of deploying two patches and the risk of leaving systems vulnerable for several days.

By leaving customers hanging, Microsoft opened the door for third-party patches, exacerbating confusion for IT managers. While Microsoft stalled with its patch delivery, anti-virus vendor McAfee announced that as of Jan. 3, more than 120,000 of McAfees customers had been attacked using the WMF vulnerability.

/zimages/2/28571.gifClick here to read more about these third-party patches and workarounds.

In addition, Ilfak Guilfanov tried to help the community by releasing a third-party patch, which was endorsed by some security experts. Unfortunately, Guilfanovs Web site buckled under the deluge of download requests, leaving IT managers frustrated and searching for alternatives. With millions of Windows-based machines on the market, few third-party companies—and fewer still with the talent to devise a robust patch—have the extensive network infrastructure and delivery tools required to get a patch to the masses.

Patch management is high on the list of IT headaches, and the need to constantly patch machines has made Microsoft products difficult to maintain and secure. IT managers have a right to have securable systems, and they shouldnt have to rely on outsiders and crossed fingers to receive patches in a timely way. With Windows XPs source code topping 40 million lines, vulnerabilities and patches wont soon go away.

It may be that Microsoft is looking ahead to a service it is developing, called Windows OneCare Live, to give customers prompt relief from vulnerabilities. OneCare Live will provide firewall, anti-virus and backup services primarily to consumers. But OneCare Live, currently in beta test, is slated to require a subscription fee. We believe that Microsoft should spend its time and energy helping its current customers rather than developing for-pay services for tomorrow.

/zimages/2/28571.gifRead more here about Windows OneCare Live.

If the company hopes to get a good reception for a new and even more complex Windows Vista later this year, it had better prove it can protect and maintain what its shipping now.

Tell us what you think at

/zimages/2/28571.gifCheck out eWEEK.coms for Microsoft and Windows news, views and analysis.