Today is Festivus, and in the spirit of the holiday I have some grievances to air.
Well, only one grievance, actually, involving (who else?) InfoWorld.
My old friend and erstwhile co-author Woody Leonhard wrote an alarming article in InfoWorld today accusing Microsoft of releasing a botched Windows security update that wipes out any customizations you or your organization might have saved in Word's Normal document template.
Here's the screaming headline:
And the text is dripping with scorn for Microsoft, with comments like, "I have no idea how this patch made it through any sort of testing at Microsoft. The fact that KB 3124200 is a forced update only rubs salt into the wound."
But here's the problem: That cumulative update for Windows 10 has nothing to do with the bug in question.
You know how I know? Because I took the time (a little over four hours) to run some tests. And InfoWorld didn't.
That's right, the editors of InfoWorld published an inflammatory article accusing Microsoft of releasing a flawed update ("the worst yet"), and that accusation was backed up by nothing more than a few angry newsgroup postings.
The actual source of this relatively minor bug (the original Normal document template is backed up and can be restored in about 10 seconds) is the latest update to Office 2016, which brings the version up to 16.0.6636.2036. That's the one that Microsoft acknowledges is the source of this bug.
I was able to prove that conclusively by firing up a three-month-old virtual machine running Windows 10, one that had not yet been updated to version 1511. With the network cable disconnected, I installed the most recent release of Office 2016 Pro Plus, version 16.0.4266.1003. I then reconnected to the network and used the Office Updates button in Word to get the latest update.
Sure enough, the bug in question manifested itself. For some reason, my old Normal.dotm file was renamed to Normal.dotm.old, and the next time I created a document in Word it generated a new, blank Normal document template.
Next, I installed a series of updates, bringing the virtual PC to Windows 10 version 1511 and installing cumulative update KB3124200. Here, see for yourself.
And guess what? My Word settings were untouched. Which is exactly what I expected, given that a Windows update is unlikely to have any impact on Office files or settings.
Of course, the original story has been retweeted and shared countless times, and there are no doubt some people who truly believe that it's grounded in facts and that Windows 10's update process is horribly broken.
Ironically, it appears that SC Magazine UK, whose tagline is "For IT Security Professionals," stole that InfoWorld story outright, not even bothering to credit the U.S. publication.
Their sarcasm is even more embarrassing in hindsight:
Yes, how indeed could an organization make the "newbie mistake" of publishing something without testing it first?
The writer for SC Magazine (I am not going to call him a reporter, because, well, you know...) actually managed to get three security experts to go on the record tut-tutting Microsoft for this mistake, which turned out to be nonexistent.
My favorite was this quote, from Mark James of ESET: "Luckily for [Microsoft], this is a rather insignificant issue but to be honest I would expect the Microsoft QA process to be faultless by now - it's not like they have not had a lot of practise."
Seriously, any security professional who expects testing of complex software products to be "faultless" should turn in his debugger.
Update: And now ExtremeTech has decided to get in on the act, stealing the original article from InfoWorld without giving any credit, then using the second half of their post to rail against Microsoft for its shoddy testing policy.
Mark Twain probably never really said that quote that's attributed to him so many times: "A lie can get halfway around the world while the truth is still lacing up its boots." But in the modern tech press it's certainly true.
It's easy to trawl through message boards looking for unhappy users and turn those random complaints into click-baiting blog posts. Who cares if they're true?
I've lost count of the number of times I've dug into a story like this, spent hours testing, and then discovered there was nothing to it. Meanwhile, my peers who don't feel the need to actually do their homework can write three crappy, fact-free posts in that same half a day.
Oh well. Happy Festivus, everyone. It's time for the feats of strength. Watch me tear this copy of Forbes in half!
Note: I really don't want to reward sloppy work with links, but for those who want to witness the atrocities firsthand, the InfoWorld article is here and the SC Magazine post is here. The ExtremeTech post is here.