FUDBuster: Microsoft Forces Messenger Upgrade--Six Months Later

Analysts compliment Microsoft for taking swift and decisive action in heading off a potentially harmful attack vector. Since when was a six-month delay considered 'swift'?

March 10, 2005

1 Min Read
NetworkComputing logo in a gray background | NetworkComputing

FUDBust: Perhaps in the land of teenage hipsters, who prefer text to touch, Microsoft's actions were both speedy and conclusive. In our minds, the trajectory of this full product upgrade illustrates the bad karma that ensues when software vendors and white hat "research" firms cooperate. Microsoft and its partner in crime, Core Security Technologies, are pointing fingers at each other. Microsoft claims Core released a proof-of-concept that spawned an actual exploit. The exploit forced Microsoft to issue a mandatory upgrade--and kick nonupgraded clients off the Messenger chat network. Core doesn't deny these facts, but notes that it uncovered the vulnerability back on Aug. 23, then waited until Microsoft published a fix on Feb. 8 before releasing its own advisory and "test" exploit.

Even if Core's actions were questionable, the dunce hat still belongs on Microsoft's head. Why did it take a software giant six months to address a potential threat? And why didn't it avoid a mandatory and chaotic full product upgrade by designing Messenger to accommodate modular patches?

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights