Microsoft’s PR blunder

Microsoft has been doing a pretty good job over the last year or so rehabilitating its image as The Evil Empire. Notably through blogging, the company has created the perception that it shares information, listens, and gives a damn about what customers care about. All of that may go right out the window, though, as a result of the company’s cavalier attitude toward malicious attacks on computers using a recently-discovered vulnerability in the Windows Meta File (WMF).

Despite urgent warnings of the danger the flaw presents, Microsoft has announced that a fix will be distributed on Patch Tuesday, January 10. In a statement on the company’s website, Microsoft says:

Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and the attacks are being attempted, Microsoft???s intelligence sources indicate that the scope of the attacks is limited. In addition, attacks exploiting the WMF vulnerability are being effectively mitigated by anti-virus companies with up-to-date signatures…Users should take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code. Additionally, consumer customers should follow guidance on safe browsing.

So from today through next Tuesday, I’m not supposed to visit any sites I don’t trust. And those would be…any sites I’ve never visited before? Including all those containing information I want to visit based on links in the blogs of bloggers I do trust?

If that sounds absurd, consider that several well-regarded security organizations have taken the unprecedented step of recommending installation of a third-party fix now rather than waiting for Patch Tuesday. Even the Washington Post is alerting its readers with specific instructions about how to minimize the risk to their computers. The SANS Internet Storm Center has savaged Microsoft on its site, and the blogosphere is filled with resetment and discouragement over Microsoft’s attitude. Good Morning Silicon Valley has referred to Patch Tuesday as “the day after Public Relations Nightmare Monday.”

And the response to all this from Microsoft? Nothing since the notification that the fix would be among the patches released on January 10. Even Scoble does nothing more than point to the Microsoft Security Response Center Blog, which says almost exactly, word-for-word, what the security notice quoted above says. The 26 comments (so far) responding to Scoble’s one-line post speak volumes, such as this one:

This is bad. This is very, very, very bad. I???m a loyal, long-time Microsoft customer, and I consider this to be an unacceptably bad response time from the MSRC on making a patch available for what is a serious vulnerability. It???s pretty blatantly obvious that this is a *process* problem, not a technological problem. Microsoft can do better than this. This patch should be released before January 10th, even if it???s only the English version for XP SP2. Administrators and users will grudgingly accept multiple patches in a short amount of time, if necessary, but allowing them to go weeks without a patch while numerous machines get compromised is, quite simply, a poor business decision.

A communicator in the decision-making process might have been able to alert the powers that be that the response—based on the coverage of the bug in the blogosphere and the mainstream media—would be wholly inadequate. Maybe a communicator did just that but was ignored or overruled. In any case, Microsoft’s reputation will suffer over this gaffe long after the specific issue has been resolved.

Incidentally, I’ve already patched my PC with the third-party fix, and am getting ready to hit the other PCs in the house.

01/04/06 | 8 Comments | Microsoft’s PR blunder

Comments

1.This is a case where the technological decision is right but the business decision isn't. The fact is a PC with a scrupulously updated anti-virus suite is pretty safe from WMF exploits, without the MS patch or any of the numerous other workarounds being touted.

Most big companies DON'T update their 1000's of PC's everytime MS releases updates, even when they are critical patches. They accept the calculated risk of partial failure and rely on good back-up procedures and regular anti-viral updates to reduce the total cost of infection.

MS patches are known to regularly have knock-on effects in complext business systems and the risk of the upgrade is often equivalent to the real risk posed by infection.

So, most companies would not be installing this patch this week, even if it was available.

What MS is missing in this, as you rightly point out, that the mass media has gone into feeding frenzy mode and blown the thing completely out of proportion. And THIS is what's hurting MS now. It's not rational. It's not reasonable. It's not correct. But it is reality.

It brings to mind the Intel Pentium bug in 1997 where they ignored the PR aspects at their peril. When Intel initially said the error produced by the then new Pentium processor was extremely rare and very small they were correct. But it was like saying God was just a tiny bit fallable. The rest played out as a typical PR crisis and Intel had to spend a fortune repairing the damage. MS may be putting out this fire for a time to come.

/mark

Mark | January 2006 | Sweden
2.Mark, I appreciate your comments. You're exactly right, of course...which is why I labeled this a PR blunder, not a technical or business one! The oldes PR axiom is "Perception is reality" and Microsoft has created the perception that they are dismissing the potential harm to their customers.

Shel Holtz | January 2006 | Concord, CA
3.I agree with Mark on the business side, but I believe the bad press and perception of consumers is what is really going to bite Microsoft. I imagine most companies also lock-down the sites their employees can visit, so the real victims are the consumers who have personal computers at home. I bet most folks at home don't have the needed antivirus, malware or firewall software they need to be truly protected. I think these personal computer users can also inflict a lot of damage through their blogs and talking with friends and family. I believe viral and word-of-mouth marketing in this day and age is very powerful. I think the comments that are being posted about how this is the last straw with Windows and how people are ready to purchase a MacIntel is the snowball coming down the mountain gaining speed and size. I can only hope that Apple computers will slowly start making it back into the Enterprise. At least Apple focuses on the innovation and the end-user instead of the mighty dollar. That?s my $.02.

Adam | January 2006
4.Short Attention Span Posting (as I recover from last night???s Rose Bowl) containing one innovative idea, a ???do??? and a ???don???t???....

http://www.allbusiness.com/blog/CustomerServiceExp | January 2006
5.Shel,

You'll note that Microsoft did succumb to the outcry and released the patch yesterday (1/5) evening as "the testing was completed earlier than anticipated". There announcement is here:

http://www.microsoft.com/technet/security/bulletin/advance.mspx

and the bulletin and patch are now available here:

http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

Regards,
Dan

Dan York | January 2006 | Burlington, VT, USA
6.Hi, Dan...yeah, not only did I see it, but I installed it on five PCs in the house. The company that provided the third-party patch also offered some detailed instructions on how to remove it and install the Microsoft patch. Too bad MS released the patch as a result of public pressure, though.

Adam, I get weary of all the Mac cultists touting this kind of problem as some sort of opening for the Mac to make headway against Windows. First of all, if the Mac held 90% market share, the hackers would be digging into OS X to find flaws. Who would spend that kind of time and energy to attack less than 5% of the market? Second, as long as the only way to get OS X is on an Apple-built machine, there will be no competitive pricing (no Dells, for instance) to appeal to people who don't want to pay a premium, particularly corporations. The lack of software is another issue. And if Apple focused on the end user, why can't I pay $1.99 for an episode of LOST and play it on my PSP? That's like buying a CD at Best Buy but not being able to play it in a CD player I bought at Sears. That's not a focus on the end user, that's a focus on protectionism in the hame of the mighty dollar. In this case, I just don't agree that Microsoft's failings shine a light on Apple's presumed advantages. And I speak as an owner/user of a PowerBook G4. (My oldest discarded Sony VAOI runs faster.)

Shel Holtz | January 2006
7.I'd be the first to admit that I've had a little too much of the apple Kool-Aid. I wouldn't blame Apple for the DRM issues that are facing consumers today. I'd blame the record and motion picture industries. If they weren't so worried about nickle and diming consumers and focus their efforts on good quality music and movies, we wouldn't have the music and movie slumps we're currently witnessing. Being a mac fan, I believe iTunes is one of the best ways to legally download music and television content. DRM sucks, but it's not Apple's fault. In regards to the shows not playing on other devices, I can understand why Apple is not licensing their FairPlay DRM technology. They want to own the entire process. This does hurt consumer choice, but I'd rather have a content distribution system that just works, than a sticker that says it'll "Play for Sure." I can?t wait to trade-in my current Powerbook for a new Intel powered Powerbook. I agree they?re a little long in the tooth, but the lack of security issues, crashing software and rebooting actually allows me to enjoy computing. I?d be happy to see Apple grow two or three percentage points in market share. That growth will translate into billions of dollars in hardware and software sales. I?d recommend dumping your Dell stock and picking up some Apple shares, as the ride will only continue. It?s time for another sip of the Kool-Aid.

Adam | January 2006
8.Here's the problem, Adam. My wife, who has an non-iPod digital media player, can't use iTunes because the proprietary format of the files won't play on her device. WalMart has just as many songs available, for 10 cents less, and she gets them in MP3, which can be played anywhere. WalMart has the same deal with the recording industry Jobs does. This isn't about Apple's deal with the RIAA. It's about boost the sale of iPods.

Shel Holtz | January 2006

« Back

Contact

Email: .(JavaScript must be enabled to view this email address)
Phone: +1.415.881.7435
Cell: 925.864.2249
Skype: shelholtz
Twitter: @shelholtz

E-Newsletter Sign Up

Nuzzel has discontinued its newsletter service (along with everything else). I am actively seeking a new solution to continue producing a short, useful newsletter. Stay tuned. In the meantime, you are welcome to visit my link blog, from which I choose the stories I include in my newsletter.