computerwoche.de

Archiv

Microsoft exec defends vendor's WMF advice

09.01.2006
Debby Fry Wilson, director of Microsoft's Security Response Center, spoke with Computerworld after the company released its patch for the WMF flaw.

What prompted the release of the WMF patch after Microsoft initially said it would be released on Jan. 10 with your other monthly updates? There's been a lot of variance in opinion in terms of how big the issue is and how fast it is spreading and so forth. Our analysis and guidance has been consistent that although the attacks are serious, they have been fairly stable in terms of spread. With that, we determined the best course of action was to put all our resources into a comprehensive update.

Because this is the first time we have gone on this fast of a track, we were somewhat conservative in our estimation, and we thought the best-case scenario was the Tuesday monthly release cycle. We put teams on this 24 hours around the clock. They finished the testing [Thursday] morning, and with the early completion of the testing, and also with the very strong customer sentiment that we got, we decided to release it [early].

Is this the shortest time you've taken to develop and release a patch? This is the fastest we have ever produced and tested an update at Microsoft. The development of the code fix actually ended fairly quickly. What takes a long time is testing through all of the complex matrices that we do. The other complexity is that we released simultaneously in 23 different languages and for all [supported Windows] platforms.

What do you think in general of how the security community reacted to the disclosure of the flaw? In these situations, there is always a lot of information that is flowing around. In some cases, there is some misinformation; in some cases, information is being provided for self-serving reasons by individuals or organizations trying to draw attention to themselves. All of that chatter makes it difficult for customers to know what authoritative source to put their confidence in.

With this issue, we have always tried to be open and transparent. There are times when our guidance may be in conflict with some of the more inflammatory things you hear in newsgroups and press headlines. But if anyone was to do a backward look, you would see our guidance is always based on data and on analysis, with the customer interest in mind.