Frankly speaking: Getting it right

09.01.2006
Just when we think Microsoft finally understands the importance of security, we get this WMF fiasco. Here was a situation with all the makings of a catastrophe: a zero-day attack based on a long-standing design flaw, discovered at a time when everyone's on vacation, exploited using something as innocuous as a picture on a Web site. Microsoft's response? A crash holiday effort that produced a working, effective patch within days. Followed by a decision to not release the fix until the next monthly patch dump -- and a public announcement of that decision so that every bad guy could declare open season on Windows PCs until Jan. 10. Followed, at last, by a decision to release the patch ahead of schedule after all.

That, finally, was the right decision. But why did Microsoft's management strain so mightily in the wrong direction before doing the right thing?

Microsoft programmers did their job. We know that because Microsoft's WMF patch showed up briefly on a security Web site a week before its scheduled release ("inadvertently," Microsoft said). Security gurus who examined it said it worked and didn't conflict with a non-Microsoft patch that was already available.

But Microsoft didn't release its patch then. Why not? The official answer: It wasn't thoroughly tested and available in all languages and for all versions of Windows. The scuttlebutt: Microsoft bigwigs didn't want "Microsoft Issues Emergency Fix" headlines and viewed the WMF threat as overblown -- although, fortunately, someone in Redmond thought it was dangerous enough to build an emergency fix during the holiday break.

Let's be clear about this: Microsoft was right to reverse course. Those bigwigs who wanted to hold the patch were right to listen to customers and release it ahead of schedule. Yeah, the flip-flop looks embarrassing, and they'll take some flak for that. But they deserve thanks, not grief. Getting that patch out the door four days early is going to make a difference. We're all better off with the right decision than with a foolish consistency.

But, that said, why the heck did they get it so wrong in the first place?