As is always the case with Microsoft, no good deed goes unpunished. The software giant quickly patched an alarming zero day flaw in its Internet Explorer (IE) web browser on Friday, just days after revealing the existence of the flaw to the world. Many lauded the firm for moving so quickly, but some Microsoft critics are now accusing it of secretly sitting on the fix for weeks … even though doing so is the right thing to do for customers.
“Microsoft released a security update and a separate security advisory addressing issues affecting IE,” a Microsoft spokesperson told me Friday. “For customers with Automatic Updates enabled, there is no required action. As always, Microsoft encourages customers who do not have Automatic Updates enabled to apply the updates as quickly as possible.”
Microsoft had previously revealed the existence of the zero day flaw in IE, along with a set of workarounds, last Tuesday and then released a patch to fix the problem on Thursday. At that time, it promised to release a fix covering this and other flaws on Friday. It then did just that, announcing a cumulative security update that addressed the zero day flaw and four other privately disclosed (and non-exploited) software vulnerabilities in its web browsers.
Mission accomplished? Not quite.
With a dash of innuendo and conspiracy theory, the software giant’s critics are now claiming that Microsoft sat on a fix for this previously unknown flaw for as long as weeks. A sensational report in Computerworld kicked off the beat-down session, with various security researchers tripping over themselves to speculate that, surely, Microsoft knew about this flaw before it revealed it to the public. (This followed a widespread knee-jerk reaction from audiences as diverse as bloggers, security researchers, and even the German government, using this flaw as an excuse to warn users not to use IE.)
Is this criticism fair?
Actually, no. As with the four previously undisclosed software flaws, these types of bugs are problematic only when hackers know about them and then write malware that exploits the flaws. This most often happens—wait for it—when Microsoft releases software patches and discloses the causes. These releases alert hackers to the flaws, and they then race to exploit them before Microsoft’s billion-plus customers can install the fixes.
So rather than criticize Microsoft for “sitting on” a flaw and its fix, one might instead laud the company for doing the right thing. Unless, of course, your actual goal isn’t to protect users.