Customers in AP respond to Microsoft's patch delay
update Throwing up words like "social responsibility", customers and industry observers in the region have expressed concerns over the long wait for Microsoft to release critical patches, as demonstrated in last week's Windows Meta File (WMF) episode.
Waiting one to two weeks for a patch to be ready was "too long", according to a software engineer from a regional healthcare products marketer, which operates some 50 Windows XP-based systems in its Singapore office.
But the engineer, who declined to be named, said he would rather have Microsoft use the extra time to ensure its patches work properly before making them available to customers, than have a botched patch that was released hastily.
"We can only depend on [Microsoft] to release something [that works], which we [ourselves] do not know [if it] will work or cause more problems…that has always been the case," he said.
Dinesh Lal Kumar, director of partners and affiliates at Orientations Network, said Microsoft made "a good decision" in releasing the patch earlier to "safeguard" the interest of its users, particularly since the software vendor retains 90 percent of the OS market, as of Dec. 2005. Orientations Network developed and operates a photo-sharing Web site called LifeLogger.com.
"[Microsoft's] market dominance tasks it with a social responsibility to lead the release of patches for any vulnerabilities detected in its code as soon as possible, independent of its monthly patch cycles," he stressed.
However, Kumar noted that Microsoft--given the software company's resources--should have been the first to provide a patch for a product that it developed.
"Why did it take a third-party to first come out with a preliminary patch to curtail the full impact of the vulnerability?" said Kumar, who is based in Malaysia. "I would think with the resources and intellectual property knowledge [Microsoft has] of its own platforms, it would be committed to being the first to release an interim patch as opposed to an independent outsider like Ilfak Guilfanov."
Orientations Network does not run Windows on its desktops or critical backend systems, but Kumar noted that this was based on "an overall platform decision" the company made and was not the direct result of Microsoft's brushes with security issues.
Carl Li, executive manager and technology director of Beijing Ladder Technology, however described Microsoft's performance in this episode as "largely satisfactory". Beijing Ladder offers online elementary and high school courses to the China and Taiwan markets.
"I feel that it is reasonable to spend a certain amount of time developing and testing the patch," Li said.
In a phone interview last week, Kang Meng Chow, Microsoft's Asia-Pacific chief security advisor, said the company was not informed of customers in the region who suffered a security breach as a result of the WMF flaw.
The calls Microsoft received, he added, were enquiries about "the availability of the patch". The official fix was eventually released last Friday, ahead of original plans to make it available during Microsoft's monthly patch cycle.
From a security point of view, Ang Ah Sin, Trend Micro's regional marketing manager for South Asia, was particularly concerned about the number of variants that had appeared in a very rapid manner. "Patch delays would mean that virus writers can take advantage of the situation and come up with new variants," he noted.
With only 11 days into 2006, the emergence of software flaws such as the WMF, are signaling "a bad year" for downloadable file formats in Windows, said Neal Gemassmer, Asia-Pacific vice president of security company PatchLink, in a media statement released this morning.
"The new patches show some critical issues in Microsoft's WMF, Transport Neutral Encapsulation Format (TNEF) and Web Font download file formats that can all allow remote code execution," he said.
"The Web Font vulnerability [highlighted in the latest Microsoft security bulletin] MS06-002 looks to be just as much of a problem as the WMF issue. Once again, there is the opportunity for an attacker to use a spam HTML e-mail or Web page to impact users within an organization."
"As Microsoft clearly points out, nobody can force one of its users to go to a Web site," Gemassmer added. "However, clearly relying on user education as your only defense is not a good security plan nor is it safe for your network."