Microsoft's Patch Dilemma

Microsoft wants you to know it's making progress on the security of its software. It's feeling so comfortable, in fact, that last Thursday and Friday it held a meeting in Redmond and invited several security consultants to critique its performance.

Unfortunately, the PR value of the "Blue Hat" (the consultants aren't black hats -- the bad guys -- nor are they necessarily white hats -- the good guys, get it?) session was undercut by problems in Microsoft's most recent set of patches to fix security vulnerabilities in its products, released last Tuesday.Microsoft was feeling so comfortable, in fact, that it invited The New York Times' Jon Markoff to the meeting. Markoff wrote a favorable story in Monday's Times (you can read it here, if you got a user account) that included a lot of statistics, obviously provided by Microsoft, on how the quantities of security bulletins issued for its products, have fallen over the past year or so.

But at the same time, the company was admitting that it's patch for a Windows OS vulnerability was causing problems. The bug seems to affect only systems that have changed the default permission settings of the COM+ files, a group that probably doesn't include most of us. There were also reports of problems with the behavior of Internet Explorer after Tuesday's patches were installed. (Microsoft hasn't yet decided whether this is a buggy patch or not.)

There are a couple of problems here. The first, and most obvious, is that it doesn't really matter if Microsoft is giving the bad guys fewer ways to break users' systems if Microsoft itself is finding new and creative ways of breaking users' systems.

The more serious problem is that if Microsoft's security patches develop a reputation for causing as many problems as they fix, then users won't apply them.

It doesn't really matter that the Windows problem seems to be an obscure, hard-to-test-for bug. It's the perception of users, reduced to a simple equation, Patches=Problems, that Microsoft has to fight against. It's got to test thoroughly, yet fix problems expeditiously. It's a dilemma with few right answers except "Communicate, communicate, communicate." To it's credit, that seems to be what Microsoft has been doing. It's talking, openly admitting to problems, and listening to critics like the "Blue Hats." And that -- far more than trying to use quantities to spin what is really a quality issue -- really is progress.