Where’s the workaround for the Windows security vulnerability?


Home | Blog | CSLA .NET | CSLA Store

07 July 2009

If you’ve read the news in the last day or two, you’ve probably run across an article talking about an “unprecedented step” taken by Microsoft, in that they are talking about a Windows vulnerability before they have a patch or fix available.

When I read the article on msnbc.com it mentioned that there is a workaround (not a fix – but a way to be safer), and that information could be found on Microsoft’s web site.

So off I went to http://www.microsoft.com – Microsoft’s web site. Where I found nothing on the topic, but I did find a link to the security home page.

So off I went to the security home page. Where I found nothing that was obviously on the topic. Yes, there’s a lot of information there, including some information on viruses, infection attacks and an apparent rise in fake attacks (so I started wondering if MSNBC had been faked out?).

At no point in here did I realize that one of the articles on the security home page actually was the article I was looking for! It turns out that this particular vulnerability is through an ActiveX video component, a fact not mentioned in the MSNBC article. So while I saw information about such a thing on the Microsoft site, I had no way to link it to the vague mainstream press article that started this whole adventure…

Fortunately I know people :)

The vulnerability is an ActiveX video component issue. And the workaround is documented here:

http://support.microsoft.com/kb/972890

And now that I know I’m looking for information related to an ActiveX video component issue, it is clear that there are relevant bits of information on these sites too:

Microsoft Security Response Center blog:

http://blogs.technet.com/msrc/default.aspx

Microsoft TechNet Security alerts:

http://www.microsoft.com/technet/security/advisory/default.mspx

I still think the communication here is flawed. The mainstream press screwed up by providing insufficient and vague information, making it virtually impossible to find the correct documentation from Microsoft on the issue. But perhaps Microsoft was vague with the press too – hard to say.

And I think Microsoft could have been much more clear on their sites, providing some conceptual “back link” to indicate which bits of information pertain to this particular issue.

There’s no doubt in my mind that my neighbors, for example, would never find the right information based on the mainstream articles in the press. So Microsoft’s “unprecedented step” of talking about this issue will, for most people, just cause fear, without providing any meaningful way to address that fear. And that’s just sad – lowering technology issues to the level typically reserved for political punditry.