A lot happened in the last 100 days. We had Christmas, New Year’s, the jump to a new Daylight Saving Time, a couple of high-profile acquisitions (as well as one that was expected but didn’t happen) and the consumer launch ofWindows Vista. You’d think that somewhere in all that time Microsoft might have hinted that danger was heading its users’ way.
Now that the company has admitted it learned of the animated cursor flaw inWindows last December, executives have been falling over themselves tryingto explain why the patch took so long. Most IT managers probably don’t needmuch of an explanation. If they have to deal with the PCs that are affected by this kind of flaw, they appreciate what it must take to come up with a solution that’s air-tight. The question is why Microsoft kept the scope of the vulnerability, which others have suggested it’s the worst since the Windows Metafile flaw of 2005, under wraps. Perhaps spreading the news would have inspired others to exploit the flaw even earlier than they did. It’s also possible no one in Redmond wanted to invite the added pressure for a quick fix once the flaw became public.
In some ways, Microsoft faces the same dilemma as organizations such as theCIBC or TJX when they experience data theft. The decision to inform can either empower those to which the organizations are accountable, or it can cause panic and chaos. In the case of an enterprise like the CIBC or TJX,the decision to inform is sometimes but off because legal authorities wantto conduct an investigation. Though its software is installed on millions of desktops worldwide, Microsoft is bound by no authority to decide when to inform users other than its own. It will therefore face a harsher judgementthan most.
The cursor flaw fiasco might not seem so egregious had Microsoft not decidedin March to skip its usual patch update. This is not something that has happened very often – I can think of only two other occasions off the top of my head in the last three years – and it gave the industry a sense of complacency that has proved patently false. Even if the patch for the cursor flaw was not through testing, Microsoft could have used the opportunity toengage with other members of the security community to outline the degree ofrisk and suggest some preventative measures to minimize the damage. When the industry has made a coordinated, cooperative effort, as it did around Code Red several years ago, a great deal of harm was staved off. But the ITsecurity sector has gotten a lot more political since then, and Microsoft seems unlikely to hold hands with Symantec, McAfee or other major security vendors anytime soon.
IT managers might have used their free Patch Tuesday in March to focus onother matters, like the DST change. Having April’s Patch Tuesday bumped up amonth is not necessarily a huge inconvenience if it gets rid of the flaw, but it shows the overall weakness of the monthly patch cycle. Although it was originally intended to help IT departments manage the process, softwarevulnerabilities have a timetable of their own.
The power of Patch Tuesday is that it offers a regular interval when Microsoft knows it has its customers’ attention. The more often it limits what it tells those customers, the more their attention is likely to wane. Microsoft hopes that IT managers will evaluate the company based on the valuable information it provides them. It is far more likely IT managers will evaluate Microsoft based on what is left unsaid, and for how long.
Shane Schick is editor of ITBusiness.ca and Computing Canad