They had options. They could have released a patch early and warned customers that it wasn't fully tested. They could have even called it a beta and asked customers for feedback, since no IT shop was going to put it into production without testing it.

Instead, amid growing concerns from security experts and hundreds of new WMF exploits and tools for bad guys, Microsoft kept saying customers should just tweak the Windows registry and wait for the next patch cycle.

Microsoft's decision-makers apparently got two things wrong. First, they underestimated the seriousness of the WMF threat. And second, they assumed that their estimate was the one that mattered.

They were wrong. Security decisions belong to IT shops. That's where the buck stops. That's where risk can be assessed. To patch or not, when to patch, what to patch -- corporate IT has to make those choices.

Microsoft's role is to support those decisions, not preempt them. Holding up a fix because it's inconvenient or embarrassing or seems low- priority isn't the way to do it. Responding as fast as possible with the best Microsoft can deliver, so customers can choose what to do -- that's the way to go.