Well, Microsoft announced yesterday that it was going to release two critical vulnerability patches next Tuesday. This after deciding to release an emergency WMF patch. I lament a bit in this WMF article:
Pete Lindstrom, an analyst at Spire Security in Malvern, Pa., said the patch should give Windows users peace of mind, but it could also lull them into a false sense of security. Instead of focusing on individual flaws, users need to look at overall security issues to better protect themselves and their companies, he said.
"I think people focus on individual vulnerabilities because the jury is out on what a strategic vulnerability approach should look like," Lindstrom said. "There’s no reason for people to focus on this particular vulnerability except that this is the one we’re focusing on."
Releasing a patch to a critical vulnerability a week before releasing patch(es) for two more critical vulnerabilities is an interesting conundrum. We already know that for any patch the expected loss must be greater than the actual costs of testing and deploying the patch itself (and if you add in lost opportunity, then you should double it).
Now the question is, is the extra x days of being patched from this particular vulnerability worth that same amount of money (patch costs). (Assuming that the costs would be the same to test three patches as it is to test two). For large enterprises in particular, that have high costs of patching and are experiencing extremely low "infection" rates from WMF, the answer is to delay the patch and combine them all a week later.
I think you are partly correct.
In the case of WMF there seem to be plenty of anti-virus products that effectively block most known forms of exploits. There is also the issue of client versus server patching. Patching servers is far more serious and expensive than client patching (due to the impact of affecing critical servers). Roling out client patches is often fairly straightforward and even phased roll outs can be automated.
The bit that you don’t seem to address is the political cost. When an exploit (and patch) such as WMF hits the mainstream press now you are obligated to consider the backlash if you don’t appear to be doing something effective if the worst case does in fact hit. (Or even something unrelated but likely to be misconstrued such as the Sober worm activation set for January 6.)
@Stuart -
Good point on the client vs. server patching. I would expect that there is very little impact on servers from the WMF vulnerability.
Regarding political costs of NOT taking action, I think that is a great point. All the fanfare can force (re)action. Meanwhile, there is Sober and the Oracle worm to consider.