Why Microsoft should be commended for its response to the WMF flap

I’d intended to use this issue to suggest some actions Microsoft might take this year to better itself and its users’ experiences. That is, I was going to propose a set of New Year’s resolutions for the Redmond colossus.

But last week’s moaning, wailing and gnashing of teeth about the new Windows Metafile (WMF) exploit (also known as “zero day”) simply calls out for comment so I’ll put off the resolutions one more time.

The WMF vulnerability is a real one. It relies on old code in the WMF format that was implemented over a dozen years ago to allow executable code to be embedded within the WMF file. One reason for this was to allow for the recall of print files. It’s no longer needed, but like much of Windows’ baggage, it’s there to provide backwards compatibility. And backwards compatibility, as I’ve often said, is one of the biggest causes of security flaws. Next week, when we do look at New Year’s resolutions for Microsoft, I’ll offer a suggestion that could help overcome this problem.

Today, though, I want to focus on the public outcry over the WMF bug. Or rather, the outcry over Microsoft’s response. While the potential exploit was announced on Dec. 28, Microsoft wouldn’t commit to releasing a patch until Jan. 10 as part of its “Patch Tuesday” patch process. A third-party patch was released early last week and people wondered why Microsoft couldn’t have released its patch earlier.

Of course, it wasn’t Microsoft that announced the vulnerability but a number of security firms – even though no exploits had been detected in the field. If this potential flaw had been around for many years and if no exploits had occurred why did some in the security community feel the need to stir up trouble (and, some feel, instigate nefarious activity) in the week between Christmas and New Year’s?

Microsoft stuck to its policy of fully testing a patch before releasing it. In the meantime, it released a workaround procedure that, while requiring a change to the Windows’ registry – something that should never be lightly undertaken, protected most systems from most exploits of the WMF “feature.” It was the right thing to do.  

Microsoft did, in the end, release the patch early – last Thursday, in fact. According to the company’s Web site announcement this was done because the testing was completed earlier than expected. Let’s hope it was, and that the company wasn’t simply reacting to the outcry. Because if the patch wasn’t fully regression tested and it causes problems in other areas there’s sure to be just as vociferous a call for “getting it right” the next time.

I believe Microsoft got it right this time, and it’s important that we commend Microsoft when they do something right. Too often we use the stick but forget the carrot.