Yes, mistakes do happen. However, this mistake had no reason to be there -- the changes introduced were extraneous and not a part of the elimination of any vulnerability. As I said, Microsoft has had major failures in 3 patches in the last four cycles -- less than a 3 month period, and you have to go back six years to find a screw-up they made that was this bad. Also, how many other vendors do you know where security patches have introduced vulnerabilities of the same significance as the ones patched? I only know of one.

I'm choosing NOT to give Microsoft "credit" for their blog postings, because they:

a) made the blog postings only after eEye announced the vulnerability.

b) claimed publicly in prior blogs on the same sites that the issue was a simple crash, when the authors knew otherwise.

c) chose to attack eEye and continue to insist that deceiving customers was in the public interest.

Not only was the patch broken, but Microsoft's public statements are blatantly false up to the point where they are publicly corrected. It is my belief that those statements violated multiple federal laws on false and misleading marketing claims.

Accordingly, Microsoft deserves a thorough scolding for how they handled this incident, not "credit", as you seem intent on showering them with. Microsoft is the only vendor in the software business able to get away with such conduct and not face a substantial penalty in the marketplace, and is only so because its technology is a proprietary monopoly.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11408/34030#34030