Out-of-cycle fix underscores fundamental change in Microsoft patching process
It wasn't too long ago that Microsoft bore constant criticism for its lack of transparency regarding security vulnerabilities and subsequent fixes.One cannot objectively still accuse the software giant of similar evasiveness.
Nowhere has this change in approach been more evident than Thursday's unexpected out-of-cycle patch for a Windows Server service vulnerability. Immediately following the issuance of the fix, Microsoft staff wrote posts on not one, not two, not three, but four different Microsoft blogs. You can find them here.
That's not to mention the webcasts -- Microsoft added two on Friday because of popular demand -- where end-users could hear specifics about the major flaw.
Certainly this was an urgent matter that companies across the globe needed to be aware of and act on quickly to prevent the possibility of a major internet worm a la Nimda, Code Red and Blaster.
And Microsoft realized that corporations would have a lot of questions - why did Microsoft rush this fix? How did this one get past the secure code team? Which Windows versions are most affected? What do the active attacks look like - and the software giant did its best to provide answers.
They should be commended, especially on the heels of the first-ever round of Patch Tuesday bulletins that included an Exploitability Index, by which users can measure the likelihood of the vulnerability in question being exploited.
Needless to say, Thursday's out-of-cycle fix aimed to correct a gaping hole that could have been consistently exploited.
And thanks to Microsoft's candor, not only are businesses patching before anything got out of hand but they are patching with an understanding of what and why they're patching.
And information is power, after all.
