WMF Patch Timing: Brilliantly Evil?
If you’ve followed the “WMF Vulnerability” that’s been all over the security blogosphere, with leaks into the mainstream media, then you know that today Microsoft released a patch. (If you don’t know this, please just go run Windows update.) I haven’t talked about it because I haven’t had much to add, but today’s release of an update may well have been brilliantly evil.
I think that Mike Nash is being quite candid in his post on the MSRC blog. Microsoft would really like their customers to patch, and those customers have a much longer memory for patches that cause failures than patches that just work. (In some ways, this is a displacement of the sysadmin’s curse.)
The timing of the patch was driven by Microsoft’s need to understand the quality of the patch before shipping. It was also driven, in part, by real world exploits, but of yesterday, Mike Reavy wrote:
I just wanted to provide another quick update on the WMF vulnerability situation. Microsoft is continuing to work on finalizing a security update for the vulnerability in WMF that is currently being exploited by some malicious attackers. The update has been on an expedited track since Microsoft became aware of the attacks on December 27th. We still anticipate releasing the security fix for this issue on January 10, 2006, once testing for quality and application compatibility is complete. (“WMF Vulnerability Security Update.”)
I’ve been thinking a lot about the game theory aspects of this, and asking myself, when is the ideal time to release another vector, say a mass mailing worm? The worm author has to trade off time testing their worm versus the chance that a patch would come out before they released. So the worm author wants to release fairly late, but not so late that he’s scooped by other worms, or my a patch.
In light of the strong words from Microsoft that a patch would be released Tuesday, the pressure on worm authors to release was lessened. The rational trade-off between testing and release was shifted towards a later release.
At the same time as Microsoft was making these statements, they had knowledge about how the patch testing was going. Were they misleading the hackers (and, incidentally, everyone else) in their statements before today? Was it an intentional application of lessons from game theory about the shadow of the future?
If so, I’m impressed. Evil like that is all too rare.
(Evil Santa from Janx.)