Full of I.T.

Kevin Remde's IT Pro WebLog

You should already know about this…

And if you don’t know about it, and you consider yourself an “IT Pro”, then shame on you for not being connected and informed in areas of Security that are CRITICAL to your job, bozo.

IT Pro who isn't keeping informed

“What’s up?”

Recently a vulnerability was found in the way Windows works with .WMF formatted files – particularly in a function that can be exploited.  Originally it was determined that there were few enough examples of this exploit “in the wild” that the fix could wait and be rolled out on the next “Super Patch Tuesday” (which is this coming Tuesday, January 10th). 

The fact that we (Microsoft) were going to wait to roll out the fix was taken in various ways by the techno-pundits out there… most using it as an excuse to drive readership to their rags by making negative statements and falsely accusing Microsoft of delaying something that should be fixed right away.

Here are a couple of things for you to consider:

As I understand it, the normal cycle for fixing and testing the fix properly before it is available to be rolled out is around 6 weeks.  Consider all the permutations of the files that need to be tweaked, and all the different language versions that have to be tested.  It’s mind-blowing.  Now.. consider that in this case, we’ve had 2 weeks to do 6 weeks worth of work.  Yes friends, there are people working around the clock on this one; guaranteed.

Also consider what happens if we DO roll out the patch to something that really isn’t all that widespread of a problem – or when there are simple workarounds that can be applied while waiting for the patch to be fully tested.  Rolling out a patch is a BIG DEAL to most IT workers, because it means testing it themselves, and rolling it out.  It may mean re-booting servers (and when you’re running 24×7, you KNOW that this can’t be taken lightly).  Microsoft has heard loud-and-clear that we need to be more predictable in our patch release cycles, which is why we now make the 2nd Tuesday of the month such and important day.  And IT workers appreciate that.  (In fact, I’ve read recently where a number of non-Microsoft people are even saying that we should go every other month now, because we’ve had months recently with no patches.)  So even if it has been sufficiently tested, it’s a burden to our customers.  And if it’s NOT sufficiently tested… well, many of us (myself included) have been burned in the past by applying patches that screwed something up.  Microsoft definitely will NOT make that mistake again if they can help it.  And customers appreciate that the patches recently have been pretty-much rock-solid.

So that brings us to today…

Unfortunately, the spread of this exploit has grown to the point where Microsoft has upped the severity, and has rolled out the patch “out of band”.  Meaning – you probably already see it showing up as Automatic Updates. 

“What should I do, Kevin?”

There are a lot of resources available to you. 

For this particularly vulnerability, check out this bulletin.  It contains a summary of the issue, plus links for where to go if you’re a consumer, or an IT Pro. 

And if you ARE one of those who is learning of this for the first time from this blog posting, please please PLEASE at the very least sign up for the Microsoft Security Notification Service

Stay informed!  Stay safe!  …and let’s be careful out there!

What do you think? Should we have rolled out the patch sooner in this situation?  Should we go to an every-other-month patch release day?