Microsoft, patches and what we really learned from the WMF 0day
well, folks… microsoft released the wmf patch ahead of schedule.
two critical vulnerabilities are still scheduled to be released next black tuesday.
what does that teach us?
there are a few options:
1. when microsoft wants to, it can.
there was obviously pressure with this 0day, still — most damage out there from vulnerabilities is done after microsoft releases the patch and the vulnerability becomes public.
2. microsoft decided to jump through a few qa tests this time, and release a patch.
why should they be releasing beta patches?
if they do, maybe they should release beta patches more often, let those who want to – use them. it can probably also shorten the testing period considerably.
if this patch is not beta, but things did just /happen/ to progress more swiftly.. than maybe we should re-visit option #1 above.
two options, non pretty.
it didn’t take much time for ilfak guilfanov, without microsoft’s resources, much time — at all — to write his patch, which seems remarkably similar to microsoft’s, as well as just as stable.
maybe it’s just that we are used to sluggishness. perhaps it is time we, as users and clients, started demanding of microsoft to push things up a notch.
put in the necessary resources, and release patches within days of first discovery. i’m willing to live with weeks and months in comparison to the year+ that we have seen sometimes. naturally some problems take longer to fix, but you get my drift.
it’s just like with false positives… as an industry we are now used to them. we don’t treat them as bugs, we treat them as an “acceptable level of”, as i heard aviram mention a few times.
it is time to move up your efforts microsoft. we believe you can do it.. you keep wanting us to believe that you do. show us – we will believe.
i may be a critic of microsoft, but unlike others — i have nothing at all against the company. i just believe that wanting to work with the industry and prove seriousness works better in actions.
talk is cheap.
than again.. even though i believe in the above, the reason might have been as a friend said, that because the patch was leaked ms could not risk not releasing it sooner. oh well.