I'd intended to use this issue to suggest some actions Microsoft might take this year to better itself and its users' experiences. That is, I was going to propose a set of New Year's resolutions for the Redmond colossus. If Bill Gates would only move his headquarters 8 miles down the road, we could call Microsoft the Behemoth of Bellevue. Has a nice ring, doesn't it? But last week's moaning, wailing and gnashing of teeth about the new Windows Metafile (WMF) exploit (also known as "zero day") simply calls out for comment so I'll put off the resolutions one more time.The WMF vulnerability is a real one. It relies on old code in the WMF format that was implemented over a dozen years ago to allow executable code to be embedded within the WMF file. One reason for this was to allow for the recall of print files. It's no longer needed, but like much of Windows' baggage, it's there to provide backwards compatibility. And backwards compatibility, as I've often said, is one of the biggest causes of security flaws. Next week, when we do look at New Year's resolutions for Microsoft, I'll offer a suggestion that could help overcome this problem.Today, though, I want to focus on the public outcry over the WMF bug. Or rather, the outcry over Microsoft's response. While the potential exploit was announced on Dec. 28, Microsoft wouldn't commit to releasing a patch until Jan. 10 as part of its "Patch Tuesday" patch process. A third-party patch was released early last week and people wondered why Microsoft couldn't have released its patch earlier.Of course, it wasn't Microsoft that announced the vulnerability but a number of security firms - even though no exploits had been detected in the field. If this potential flaw had been around for many years and if no exploits had occurred why did some in the security community feel the need to stir up trouble (and, some feel, instigate nefarious activity) in the week between Christmas and New Year's?Microsoft stuck to its policy of fully testing a patch before releasing it. In the meantime, it released a workaround procedure that, while requiring a change to the Windows' registry - something that should never be lightly undertaken, protected most systems from most exploits of the WMF "feature." It was the right thing to do. \u00a0Microsoft did, in the end, release the patch early \u2013 last Thursday, in fact. According to the company\u2019s Web site announcement this was done because the testing was completed earlier than expected. Let\u2019s hope it was, and that the company wasn\u2019t simply reacting to the outcry. Because if the patch wasn\u2019t fully regression tested and it causes problems in other areas there\u2019s sure to be just as vociferous a call for \u201cgetting it right\u201d the next time.I believe Microsoft got it right this time, and it\u2019s important that we commend Microsoft when they do something right. Too often we use the stick but forget the carrot.