[pdpi]

Patch Tuesday is the second Tuesday of each month. Unless something odd happens, you can count on the fix being out a week from tomorrow. There's also a justification for this — they sat on it because they were releasing other SMB-related patches on the February Patch Tuesday. I don't really think anybody can reasonably argue that MS would not release the fix next week. But that's not the point.

This bug was reported in December, and there's no reason to believe that they didn't have a patch in time for inclusion in the January Patch Tuesday. They chose to withhold that patch due to non-technical, apparently PR-related, reasons, and the researcher in question is complaining that this has happened before with other bugs reported by him. That's a pretty cavalier approach to security, and early disclosure is the only way the researcher can punish MS for it.

[mjw1007]

It's slightly worse than that: the bug was reported in September; December appears to be when they had the patch ready.

So there were two months of apparently unjustified delay.

[tedunangst]

Sure, if MS promised to issue a patch in January, then go ahead and release info when they don't. But it's weird to wait for a February patch, and then release a week early.

Like I'm more or less ok with "full disclosure upon discovery" as a consistent release policy. Or "wait for a patch up to 90 days". Or several other models. "Wait until one week before patch" is an oddball policy which seems like it has all the cons and none of the pros of other models.

[pdpi]

Releasing a week early makes for a smallish window during which the exploit is unpatched and in the wild, while still being impactful enough that it forces Microsoft to react to it somehow. I'm not sure it's the Right Way of Doing Things, but it's defensible.

[forgottenpass]

They chose to withhold that patch due to non-technical, apparently PR-related, reasons

Do you know that, it is it just speculation? I could speculate that there were technical reasons around having two smb patchsets to test in various combinations vs bundling into one.

[true_religion]

The cynical answer would be: try harder Microsoft, and do not let your customers remain vulnerable simply because you can't test two patch-sets at the same time.

If 'trying harder' is not possible due to financial reasons, then the only recourse is disclosure.

This bug will be fixed now, but certainly could have been excluded again because of technical reasons---they're publishing a separate set of patches on SMB again soon, maybe those patches have higher priority to people on the Microsoft org-chart than the patches for this bug.

When companies aren't given hard deadlines for disclosure, they'll just delay forever because there is always a technical reason that you can't do enough testing to satisfy yourself, while doing X, Y, Z which are added to your schedule for political/financial reasons.

[EdHominem]

Why do they deserve the benefit of the doubt when their press release contains actual lies? When someone lies to me everything they say becomes suspect. It's the standard we expect individuals to live up to, why do you want to give more slack to a company?

Further, so what? There's always some problem. They should either suck it up and work harder or come clean and give users actual choice in how to respond.

[forgottenpass]

Why do they deserve the benefit of the doubt when their press release contains actual lies?

I didn't say they do. I responding to the parent post on the bit I quoted ("They chose..."). If it's irrelevant under other precondition, take it up with the parent post.