Journal AB3A's Journal: WMF and Microsoft apologists 1
I'm amazed that so many think Microsoft did a timely and decent job responding to this threat. I don't think they did.
Their first reaction was understandable. Disable WMF file display capability with a registry tweak. That's a decent initial reaction to a zero-day exploit. It was timely, and reasonable. I can't fault them for this initial reaction.
However, what happened next made little sense. It appears they sat on this problem for several days thinking that it wasn't critical. Meanwhile, legions of black hat hackers and script kiddies were salivating over all sorts of potentials for attack. Someone made an IRC worm out of this mess. Someone else made a WMF exploit kit. Microsoft just sat tight.
Meanwhile, F-Secure discovered the fix by lfak Guilfanov and negotiated to have it placed on Hexablog. However, since most do not know who Guilfanov is or even who these nice guys at F-Secure are, not many used this fix.
No sooner did Microsoft announce an update on the next cycle, when with little technical consideration, many folks decided that All Was Well. One of them, Ed Bott began shooting the messengers of the WMF problem without any apparent consideration of what it was that they might know that he didn't. I pointed out that I didn't think much of Microsoft's responsiveness and while he tried to smear the Open Source community's better efforts with a very lame case.
Only 9 days later, after the WMF virus building kit was already in the wild, did Microsoft release fixes for 2000, XP and 2003 Server. However, this mess existed in every version of Windows since 3.0. True, the associations for WMF files didn't exist by default in OSs prior to XP. However, many application programs used them. It wouldn't be a stretch to say that Microsoft is still underestimating this "feature."
Ed is, of course, entitled to his opinons, no matter how ill informed they may be. However, he is not alone in this behavior. I wish there was a way that people in the Open Source Community could quietly make a case that perhaps there is room for improvement in Microsoft's behavior here. After all, they're the ones getting paid for this effort. Shouldn't people get something for their money?
Postscript: It appears I'm not the only one asking this question.
Something I have joked about before (Score:2)
Like I have said before, people are getting something for their money: free software! And oftentimes it installs itself without the user even noticing. What a great value added service!