Microsoft patch opens users to attack

Microsoft has spent a lot of time and effort trying to improve their security image. Part of that was gaining mindshare among admins, so that patches would be trusted and deployed in an expeditious manor. It seemed that the Microsoft vision went as far as to wish everyone simply enable automatic updates. Obviously, for a variety of reasons, that simply hasn't been the case. Recently, Microsoft has been taking some heat for machines rebooting despite automatic updates being off. Yes, someone actually sent Bill Gates an invoice because of it, and the media and blogosphere have been having a field day with it. In the midst of it though, Microsoft released a patch that fix about eight issues, but also actually opened a completely new vulnerability. It also causes IE to crash for a variety of business critical apps, such as PeopleSoft, Siebel, and Sage CRM and any site that uses HTTP 1.1 compression. What's exacerbating an already bad situation is that the proposed fix has now missed it's target release and is currently delayed indefinitely. When you have someone at a large security firm saying things like “They basically butchered that patch.”, it doesn't inspire a lot of confidence. These incidents will almost certainly undo much of the work that Microsoft has done on the “improving its security image” front, and they make you wonder just how much they'll be able to deliver on the promises made for Vista. The fact that part of the issue still seems procedural and not technical doesn't bode well.
–jeremy
Microsoft, MSFT, security, Windows, Bill Gates