Microsoft has been doing a pretty good job over the last year or so rehabilitating its image as The Evil Empire.
Notably through blogging, the company has created the perception that it shares information, listens, and gives a damn about what customers care about. All of that may go right out the window, though, as a result of the company’s cavalier attitude toward malicious attacks on computers using a recently-discovered vulnerability in the Windows Meta File (WMF).
Despite urgent warnings of the danger the flaw presents, Microsoft has announced that a fix will be distributed on Patch Tuesday, January 10. In a statement on the company’s website, Microsoft says:
Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and the attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks is limited. In addition, attacks exploiting the WMF vulnerability are being effectively mitigated by anti-virus companies with up-to-date signatures…Users should take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code. Additionally, consumer customers should follow guidance on safe browsing.
So from today through next Tuesday, I’m not supposed to visit any sites I don’t trust. And those would be…any sites I’ve never visited before? Including all those containing information I want to visit based on links in the blogs of bloggers I do trust?
If that sounds absurd, consider that several well-regarded security organizations have taken the unprecedented step of recommending installation of a third-party fix now rather than waiting for Patch Tuesday. Even the Washington Post is alerting its readers with specific instructions about how to minimize the risk to their computers. The SANS Internet Storm Center has savaged Microsoft on its site, and the blogosphere is filled with resetment and discouragement over Microsoft’s attitude. Good Morning Silicon Valley has referred to Patch Tuesday as “the day after Public Relations Nightmare Monday.”
And the response to all this from Microsoft? Nothing since the notification that the fix would be among the patches released on January 10. Even Scoble does nothing more than point to the Microsoft Security Response Center Blog, which says almost exactly, word-for-word, what the security notice quoted above says. The 26 comments (so far) responding to Scoble’s one-line post speak volumes, such as this one:
This is bad. This is very, very, very bad. I’m a loyal, long-time Microsoft customer, and I consider this to be an unacceptably bad response time from the MSRC on making a patch available for what is a serious vulnerability. It’s pretty blatantly obvious that this is a *process* problem, not a technological problem. Microsoft can do better than this. This patch should be released before January 10th, even if it’s only the English version for XP SP2. Administrators and users will grudgingly accept multiple patches in a short amount of time, if necessary, but allowing them to go weeks without a patch while numerous machines get compromised is, quite simply, a poor business decision.
A communicator in the decision-making process might have been able to alert the powers that be that the response-based on the coverage of the bug in the blogosphere and the mainstream media-would be wholly inadequate. Maybe a communicator did just that but was ignored or overruled. In any case, Microsoft’s reputation will suffer over this gaffe long after the specific issue has been resolved.
Incidentally, I’ve already patched my PC with the third-party fix, and am getting ready to hit the other PCs in the house.
Shel Holtz is principal of Holtz Communication + Technology which focuses on helping organizations apply online communication capabilities to their strategic organizational communications.
As a professional communicator, Shel also writes the blog a shel of my former self.
