Microsoft, patches and what we really learned from the WMF 0day

well, folks… microsoft released the wmf patch ahead of schedule.

two critical vulnerabilities are still scheduled to be released next black tuesday.

what does that teach us?

there are a few options:
1. when microsoft wants to, it can.

there was obviously pressure with this 0day, still — most damage out there from vulnerabilities is done after microsoft releases the patch and the vulnerability becomes public.

2. microsoft decided to jump through a few qa tests this time, and release a patch.

why should they be releasing beta patches?
if they do, maybe they should release beta patches more often, let those who want to – use them. it can probably also shorten the testing period considerably.
if this patch is not beta, but things did just /happen/ to progress more swiftly.. than maybe we should re-visit option #1 above.

two options, non pretty.

it didn’t take much time for ilfak guilfanov, without microsoft’s resources, much time — at all — to write his patch, which seems remarkably similar to microsoft’s, as well as just as stable.

maybe it’s just that we are used to sluggishness. perhaps it is time we, as users and clients, started demanding of microsoft to push things up a notch.

put in the necessary resources, and release patches within days of first discovery. i’m willing to live with weeks and months in comparison to the year+ that we have seen sometimes. naturally some problems take longer to fix, but you get my drift.

it’s just like with false positives… as an industry we are now used to them. we don’t treat them as bugs, we treat them as an “acceptable level of”, as i heard aviram mention a few times.

it is time to move up your efforts microsoft. we believe you can do it.. you keep wanting us to believe that you do. show us – we will believe.

i may be a critic of microsoft, but unlike others — i have nothing at all against the company. i just believe that wanting to work with the industry and prove seriousness works better in actions.

talk is cheap.

than again.. even though i believe in the above, the reason might have been as a friend said, that because the patch was leaked ms could not risk not releasing it sooner. oh well.

gadi evron,
ge@beyondsecurity.com.

Share
  • Wells

    Yuu have to remember that Microsoft has to TEST these patches on hundreds of configurations and localisations.

    Have you heard that the Ilfak Guilfanov patch disabled printing on some machines? Can you imagine if that happening on a large scale with an official patch? Microsoft would be in trouble.

    The patch was originally leaked a few days ago and it had a signature saying it was made on Dec 28th… so they had the patch ages ago, they just needed to test it.

    See this link for more details:

    http://silverstr.ufies.org/blog/archives/000896.html

  • Richard

    Hmm .. I’d much rather have a thoroughly tested patch than a quick patch. I would be pretty pissed if a patch screws up my system requiring me to do major damage-control.

    Furthermore remember that Microsoft can be held responsible for malfunctioning software! If they can’t prove that they made sufficient efforts to prevent screwing up end-users PC’s they can be liable etc. etc.

  • sunshine

    The point I am trying to make is different.

    We as an industry got used to slow processes, as well as false positives and other evils.

    Non are simple issues, but what this and other events come to show is that it is possible and we should get out of our own box and demand more.

    BTW – the MS patch does the same as Ilfak’s.. so…

  • DavidMcK

    Perhaps you should view what happened in a different way. Microsoft gave a schedule for releasing a patch. They probably wanted to give a schedule they were pretty confident they could make. It happened that they were able to test it and have confidence in it earlier than they thought, so they released it early.

    I don’t know what your background in software development is, but from my experience, I know that scheduling testing and debugging is notoriously difficult.

    How would you be reacting if Microsoft released a patch on Dec 30th that caused 1% of all machines to crash? Somehow I doubt you’d be congratulating Microsoft for trying to get a patch out quickly.

  • sunshine

    100% behind you. I just believe that industry standards are at an all-time low and that vendors should put more resources into fixing security bugs. Waiting a year+, for whatever vulnerability, is unacceptable.

    Obviously, when in a rush, it can be done.

  • Pingback: SecuriTeam Blogs » Standards of operations in our industry - current status